[Swan] routing across two tunnels

[Computerisms Corporation]

Hi All,

Took another stab at this last night and found the solution was actually 
quite simple, almost embarrassingly so.  Posting here in case other 
people have a hard time seeing the obvious like I did...

First, firewall needs to be able to talk directly to a host on the 
remote LAN.  Accomplished with leftsourceip=firewall.lan.ip and OUTPUT 
rule in filter table of iptables.

Next, route traffic from Roadwarrior subnet to Remote Subnet in nat 
table of iptables;

-A POSTROUTING -s 10.25.0.0/24 -d 192.168.0.0/24 -j SNAT --to-source 
192.168.25.1

After that, pound on the keyboard furiously for a while so everybody 
thinks it was so much harder than it actually was...


On 2015-06-11 1:04 p.m., Nick Howitt wrote:
> Hi Bob,
> 
> As soon as you mention transport mode I am lost as I've never used it or 
> got my mind round it so I don't understand it. Ditto passthrough conns, 
> so you could be way ahead of me. If I were doing it, I'd use tunnel mode.
> 
> I've done something slightly similar from an OpenVPN roadwarrior 
> connecting to my server then onto a remote IPsec LAN on a Draytek 
> router. The Draytek additional LAN solution I think, is proprietary and 
> I could not get it to interoperate with Libreswan. I got round the issue 
> by configuring OpenVPN to use the 172.12.3.0/24 subnet on the server 
> with a server LAN subnet of 172.17.2.0/24. I then set up a tunnel in 
> Libreswan to the Draytek for the 172.17.2.0/23 subnet (which, to save 
> you doing the subnet calculation, encompasses the 172.17.2.0/14 and 
> 172.17.3.0/24 subnets). This got round the need to set up two tunnels 
> but it should also work with two tunnels (or two subnets tunnelled) if 
> you can get them to work between the Sonicwall and Libreswan. OpenVPN 
> was configured to push routes for both the server LAN subnet and remote 
> LAN subnet.
> 
> Regards,
> 
> Nick
> 
> On 11/06/2015 04:18, Bob Miller wrote:
>>
>> Hi Nick,
>>
>> thanks for your reply, and I apologize for my tardy response.
>>
>>> Do you have a tunnel from your roadwarrior to Libreswan for the subnet
>>> 192.168.0.0/24? I don't know the Windows client (or any ikev2 details
>>> therefore my knowledge is entirely theoretical)so I don't know if you
>>> can use left/rightsubnets in Libreswan or if you have to define two
>>> different tunnels.
>>>
>>> Similarly you will need a tunnel with subnets from 10.25.0.0/24 and
>>> 192.168.25.0/24. When negotiating these tunnels with the Sonicwall, do
>>> you see both coming up? Again, if the Sonicwall can't cope you may also
>>> need to define two separate tunnels from Libreswan.
>>
>> hm.  I think I see where you are going with this... the answer is that 
>> I have attempted to make such a tunnel with a passthrough conn, but I 
>> do not have a 3rd dedicated tunnel from roadwarrior to sonicwall.  If 
>> I did have a dedicated tunnel like that, would libreswan not then 
>> connect to that tunnel and make the LAN and internet inaccessible?  
>> What I have (non-network details trimmed):
>>
>> conn lan2sonic
>>    left=199.247.233.69
>>    leftsubnet=192.168.25.0/24
>>    leftnexthop=%defaultroute
>>    right=184.69.103.190
>>    rightsubnet=192.168.0.0/24
>>    rightnexthop=%defaultroute
>>
>> conn rw-ikev2
>>    left=199.247.233.69
>>    leftsubnet=0.0.0.0/0
>>    right=%any
>>    rightaddresspool=10.25.0.2-10.25.0.20
>>
>> A note regarding leftsubnet=0.0.0.0/0: this being my first attempt at 
>> ikev2, I found that the way I did it with l2tp (setting left subnet to 
>> be that of LAN and setting up iptables for forwarding) was 
>> insufficient.  I forget what details I tripped on that clued me into 
>> trying 0.0.0.0/0, but when I did, internet works for roadwarriors 
>> without split tunnelling.  If I just set leftsubnet=192.168.25.0/24, I 
>> get connection to the LAN, but no internet.
>>
>> That said, I had no better success on a l2tp setup, but I was 
>> admittedly less aggressive in my attempts to get that one working.
>>
>> I tried a lot of variations, but one example of my attempt with a 
>> passthrough conn:
>>
>> conn rw-pass-vic
>>    left=%any
>>    leftsubnet=10.25.0.0/24
>>    right=184.69.103.190
>>    rightsubnet=192.168.0.0/24
>>
>> I tried in conn lan2sonic using
>>
>> leftsubnets=192.168.25.0/24, 10.25.0.0/24
>>
>> I also tried in conn rw-ikev2 using
>>
>> leftsubnets=0.0.0.0/0, 192.168.0.0/24
>>
>> Given that the leftsubnet on the ikev2 connection is 0.0.0.0/0, and 
>> the packets find their way to the 192.168.25.0/24 network, I kind of 
>> think that packets for 192.168.0.0/24 should similarly find their way 
>> on to the tunnel destined for the sonicwall, but tcpdump shows they 
>> head out to the internet.  Since my expectations were not met, I have 
>> just been trying stuff, hoping to make the light bulb go on. maybe I 
>> have had my conns right, but some other variable wrong.  This is why I 
>> am hoping to gain a better understanding of what is supposed to 
>> happen, maybe then I can figure out how to get there...
>>
>>>  From a different angle, what is your roadwarrior's local LAN subnet
>>> when performing these tests? If is 192.168.0.0/24 then you have a big
>>> issue as both the local and (very) remote subnets are the same.
>>
>> My roadwarrior is across the internet in a subnet 192.168.26.0/24, so 
>> should be no conflict there...
>>
>> Thanks again for your response, Nick, really appreciate it...
>>
>>>
>>> Regards,
>>>
>>> Nick
>>>
>>> On 2015-06-07 01:23, Bob Miller wrote:
>>>> Hi,
>>>>
>>>> I am not sure if I am being dense and not seeing what is there, or if
>>>> what I am looking for really isn't there.
>>>>
>>>> I have a firewall running libreswan that has an ipsec/psk net2net
>>>> tunnel configured between it and a sonicwall device.  This firewall
>>>> also has multiple road warriors connecting to the local network behind
>>>> it. Remote windows machines are configured with ikev2.
>>>>
>>>> the gist:
>>>> 192.168.0.0/24(sonicwall)<=>ETH0:libreswan:ETH1<=>192.168.25.0(LAN)
>>>> 10.25.0.0/24(roadwarriors)<=^ ^=>Internet
>>>>
>>>> each segment works fine;
>>>> remotelan<=>LAN, RW<=>LAN, Internet<=>LAN works great
>>>> RW<=>LAN, RW<=>Internet works great.
>>>> remotelan<=>internet doesn't work, which is great.
>>>>
>>>> Now I want the roadwarriors to access the remote lan, but I can't seem
>>>> to figure it out.
>>>>
>>>> It happens I have another identical situation, with the singular
>>>> difference that the road warriors are connecting via l2tp.  I have
>>>> tried to get the same thing working on that one in the hopes that
>>>> something about l2tp would magically work and grant me understanding.
>>>>
>>>> I have been at it for a while now, it would be tough to list all I
>>>> have done, but generally I started at iptables, thinking it would be a
>>>> simple forwarding thing.  I made sure I wasn't nat'ing my traffic,
>>>> forward rules are in place, etc.  maybe there is a problem there, but
>>>> I don't see it if there is.
>>>>
>>>> Next I played with left/rightsubnets (as opposed to singular subnet)
>>>> as per what I found in the ipsec.conf man page.  I think I tried every
>>>> combination at least twice, but nothing changed there.
>>>>
>>>> I looked through more of the docs.  I found passthrough conns, which
>>>> seem like what I might want, but the only examples I can find are for
>>>> extruded subnets, where one side is a smaller subset of a larger
>>>> subnet on the other side.  regardless, tried a bunch of ways to make
>>>> that work but no success.  I also looked through the multi-net
>>>> examples, but those seem related to klips, and I think I need to find
>>>> and study the context of those examples to get value from them...
>>>>
>>>> On google, I found a limited number of posts that discuss the topic.
>>>> In the posts that seemed relevant, I could follow the discussion, but
>>>> in no cases could I translate the examples to a working config on this
>>>> firewall.
>>>>
>>>> I am not afraid to read and try and figure it out on my own, but I
>>>> don't think I am reading the right stuff.  or if I am I haven't
>>>> recognized it yet.  could someone kindly point me at the definitive
>>>> thing I need to read and understand to achieve my goal?
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>