[Swan] routing across two tunnels

Computerisms Corporation bob at computerisms.ca
Thu Jan 30 21:00:29 UTC 2020

Hi All,

Took another stab at this last night and found the solution was actually 
quite simple, almost embarrassingly so.  Posting here in case other 
people have a hard time seeing the obvious like I did...

First, firewall needs to be able to talk directly to a host on the 
remote LAN.  Accomplished with leftsourceip=firewall.lan.ip and OUTPUT 
rule in filter table of iptables.

Next, route traffic from Roadwarrior subnet to Remote Subnet in nat 
table of iptables;

-A POSTROUTING -s -d -j SNAT --to-source

After that, pound on the keyboard furiously for a while so everybody 
thinks it was so much harder than it actually was...

On 2015-06-11 1:04 p.m., Nick Howitt wrote:
> Hi Bob,
> As soon as you mention transport mode I am lost as I've never used it or 
> got my mind round it so I don't understand it. Ditto passthrough conns, 
> so you could be way ahead of me. If I were doing it, I'd use tunnel mode.
> I've done something slightly similar from an OpenVPN roadwarrior 
> connecting to my server then onto a remote IPsec LAN on a Draytek 
> router. The Draytek additional LAN solution I think, is proprietary and 
> I could not get it to interoperate with Libreswan. I got round the issue 
> by configuring OpenVPN to use the subnet on the server 
> with a server LAN subnet of I then set up a tunnel in 
> Libreswan to the Draytek for the subnet (which, to save 
> you doing the subnet calculation, encompasses the and 
> subnets). This got round the need to set up two tunnels 
> but it should also work with two tunnels (or two subnets tunnelled) if 
> you can get them to work between the Sonicwall and Libreswan. OpenVPN 
> was configured to push routes for both the server LAN subnet and remote 
> LAN subnet.
> Regards,
> Nick
> On 11/06/2015 04:18, Bob Miller wrote:
>> Hi Nick,
>> thanks for your reply, and I apologize for my tardy response.
>>> Do you have a tunnel from your roadwarrior to Libreswan for the subnet
>>> I don't know the Windows client (or any ikev2 details
>>> therefore my knowledge is entirely theoretical)so I don't know if you
>>> can use left/rightsubnets in Libreswan or if you have to define two
>>> different tunnels.
>>> Similarly you will need a tunnel with subnets from and
>>> When negotiating these tunnels with the Sonicwall, do
>>> you see both coming up? Again, if the Sonicwall can't cope you may also
>>> need to define two separate tunnels from Libreswan.
>> hm.  I think I see where you are going with this... the answer is that 
>> I have attempted to make such a tunnel with a passthrough conn, but I 
>> do not have a 3rd dedicated tunnel from roadwarrior to sonicwall.  If 
>> I did have a dedicated tunnel like that, would libreswan not then 
>> connect to that tunnel and make the LAN and internet inaccessible?  
>> What I have (non-network details trimmed):
>> conn lan2sonic
>>    left=
>>    leftsubnet=
>>    leftnexthop=%defaultroute
>>    right=
>>    rightsubnet=
>>    rightnexthop=%defaultroute
>> conn rw-ikev2
>>    left=
>>    leftsubnet=
>>    right=%any
>>    rightaddresspool=
>> A note regarding leftsubnet= this being my first attempt at 
>> ikev2, I found that the way I did it with l2tp (setting left subnet to 
>> be that of LAN and setting up iptables for forwarding) was 
>> insufficient.  I forget what details I tripped on that clued me into 
>> trying, but when I did, internet works for roadwarriors 
>> without split tunnelling.  If I just set leftsubnet=, I 
>> get connection to the LAN, but no internet.
>> That said, I had no better success on a l2tp setup, but I was 
>> admittedly less aggressive in my attempts to get that one working.
>> I tried a lot of variations, but one example of my attempt with a 
>> passthrough conn:
>> conn rw-pass-vic
>>    left=%any
>>    leftsubnet=
>>    right=
>>    rightsubnet=
>> I tried in conn lan2sonic using
>> leftsubnets=,
>> I also tried in conn rw-ikev2 using
>> leftsubnets=,
>> Given that the leftsubnet on the ikev2 connection is, and 
>> the packets find their way to the network, I kind of 
>> think that packets for should similarly find their way 
>> on to the tunnel destined for the sonicwall, but tcpdump shows they 
>> head out to the internet.  Since my expectations were not met, I have 
>> just been trying stuff, hoping to make the light bulb go on. maybe I 
>> have had my conns right, but some other variable wrong.  This is why I 
>> am hoping to gain a better understanding of what is supposed to 
>> happen, maybe then I can figure out how to get there...
>>>  From a different angle, what is your roadwarrior's local LAN subnet
>>> when performing these tests? If is then you have a big
>>> issue as both the local and (very) remote subnets are the same.
>> My roadwarrior is across the internet in a subnet, so 
>> should be no conflict there...
>> Thanks again for your response, Nick, really appreciate it...
>>> Regards,
>>> Nick
>>> On 2015-06-07 01:23, Bob Miller wrote:
>>>> Hi,
>>>> I am not sure if I am being dense and not seeing what is there, or if
>>>> what I am looking for really isn't there.
>>>> I have a firewall running libreswan that has an ipsec/psk net2net
>>>> tunnel configured between it and a sonicwall device.  This firewall
>>>> also has multiple road warriors connecting to the local network behind
>>>> it. Remote windows machines are configured with ikev2.
>>>> the gist:
>>>><=^ ^=>Internet
>>>> each segment works fine;
>>>> remotelan<=>LAN, RW<=>LAN, Internet<=>LAN works great
>>>> RW<=>LAN, RW<=>Internet works great.
>>>> remotelan<=>internet doesn't work, which is great.
>>>> Now I want the roadwarriors to access the remote lan, but I can't seem
>>>> to figure it out.
>>>> It happens I have another identical situation, with the singular
>>>> difference that the road warriors are connecting via l2tp.  I have
>>>> tried to get the same thing working on that one in the hopes that
>>>> something about l2tp would magically work and grant me understanding.
>>>> I have been at it for a while now, it would be tough to list all I
>>>> have done, but generally I started at iptables, thinking it would be a
>>>> simple forwarding thing.  I made sure I wasn't nat'ing my traffic,
>>>> forward rules are in place, etc.  maybe there is a problem there, but
>>>> I don't see it if there is.
>>>> Next I played with left/rightsubnets (as opposed to singular subnet)
>>>> as per what I found in the ipsec.conf man page.  I think I tried every
>>>> combination at least twice, but nothing changed there.
>>>> I looked through more of the docs.  I found passthrough conns, which
>>>> seem like what I might want, but the only examples I can find are for
>>>> extruded subnets, where one side is a smaller subset of a larger
>>>> subnet on the other side.  regardless, tried a bunch of ways to make
>>>> that work but no success.  I also looked through the multi-net
>>>> examples, but those seem related to klips, and I think I need to find
>>>> and study the context of those examples to get value from them...
>>>> On google, I found a limited number of posts that discuss the topic.
>>>> In the posts that seemed relevant, I could follow the discussion, but
>>>> in no cases could I translate the examples to a working config on this
>>>> firewall.
>>>> I am not afraid to read and try and figure it out on my own, but I
>>>> don't think I am reading the right stuff.  or if I am I haven't
>>>> recognized it yet.  could someone kindly point me at the definitive
>>>> thing I need to read and understand to achieve my goal?
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list