[Swan] Setting up LibreSwan VPN router for remote clients

Yadav, Ravinder Ravinder.Yadav at hughes.com
Mon Mar 9 21:22:12 UTC 2020


Objective of the Libreswan server setup :

  1.  Dialup VPN server for remote clients .
  2.  Each remote client has preconfigured data path subnets for IPSEC traffic .
     *   The subnet is part of the Phase2 selector for traffic .
     *   We want to avoid pre-configuration of this subnet (shown below) on the server side since we're trying to scale this against thousands of remotes and many vpn servers
  3.  Individual VTI for each remote client subnet - this is preferred

Test Setup:


[cid:image001.png at 01D5F637.3A29CDB0]
Question 1: Is there a way we can have only one "leftid" for the all the remote clients (strongswan)?
>> One conn block on the libreswan server configuration for all the remote clients.

conn ipsec01
        leftid=@libswan1.com<mailto:leftid=@libswan1.com>
        rightsubnet=10.10.0.1/32
Question 2: Also when we set the "rightsubnet=0.0.0.0/0" (on the libreswan Server) the IPSec fail due to :
The first IPSec 01 connection is successful but the second IPSec 02 phase 2 fails and throws following error:
>> psec02"[1] 10.11.0.2 #10: cannot install eroute -- it is in use for "ipsec01"[7] 10.11.0.1 #11
Mar  9 15:55:33.178415: | delete inbound eroute 0.0.0.0/0:0 --0-> 0.0.0.0/0:0 => unk255.10000 at 10.11.251.252<mailto:unk255.10000 at 10.11.251.252> (raw_eroute)

conn ipsec01
        leftid=@libswan1.com<mailto:leftid=@libswan1.com>
        rightsubnet=10.10.0.1/32


Due to the above two limitation we have to define a conn: block on the libreswan server for every remote side client which we are trying to avoid.


[cid:image002.png at 01D5F637.3A29CDB0]

Attached Config:

Libreswan VPN Server for remote clients:

config setup
        protostack=netkey
        uniqueids=no

conn %default
        ike=aes256-sha1-modp2048
        esp=aes256-sha1-modp2048
        ikelifetime=24h
        lifetime=24h
        authby=secret
        left=10.11.251.252
        leftsubnet=0.0.0.0/0
        right=%any
        rightid=%any
        mobike=no
        replay-window=0
        nic-offload=auto
        type=tunnel
        auto=start
        vti-interface=vti-ipip
        vti-routing=yes
        vti-shared=yes
        mark=5/0xffffffff
        #overlapip=yes

conn ipsec01
        leftid=@libswan1.com<mailto:leftid=@libswan1.com>
        rightsubnet=10.10.0.1/32

conn ipsec02
        leftid=@libswan2.com<mailto:leftid=@libswan2.com>
        rightsubnet=10.10.0.2/32



Strongswan Remote Client Config:

config setup
        charondebug="ike 0, knl 0, cfg 0"
        uniqueids=no

conn %default
        ike=aes256-sha1-modp2048
        esp=aes256-sha1-modp2048
        keyexchange=ikev2
        ikelifetime=24h
        lifetime=24h
        leftauth=psk
        right=10.11.251.252
        rightsubnet=10.12.0.0/16
        rightauth=psk
        replay_window=0
        type=tunnel
        auto=start

conn ipsec01
        left=10.11.0.1
        leftid=@strswan1.com<mailto:leftid=@strswan1.com>
        rightid=@libswan1.com<mailto:rightid=@libswan1.com>
        leftsubnet=10.10.0.1/32

conn ipsec02
        left=10.11.0.2
        leftid=@strswan2.com<mailto:leftid=@strswan2.com>
        rightid=@libswan2.com<mailto:rightid=@libswan2.com>
        leftsubnet=10.10.0.2/32


-Ravin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200309/204ad54c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 60847 bytes
Desc: image001.png
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200309/204ad54c/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 74641 bytes
Desc: image002.png
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200309/204ad54c/attachment-0003.png>


More information about the Swan mailing list