[Swan] Setting up LibreSwan VPN router for remote clients
Yadav, Ravinder
Ravinder.Yadav at hughes.com
Mon Mar 9 21:22:12 UTC 2020
Objective of the Libreswan server setup :
1. Dialup VPN server for remote clients .
2. Each remote client has preconfigured data path subnets for IPSEC traffic .
* The subnet is part of the Phase2 selector for traffic .
* We want to avoid pre-configuration of this subnet (shown below) on the server side since we're trying to scale this against thousands of remotes and many vpn servers
3. Individual VTI for each remote client subnet - this is preferred
Test Setup:
[cid:image001.png at 01D5F637.3A29CDB0]
Question 1: Is there a way we can have only one "leftid" for the all the remote clients (strongswan)?
>> One conn block on the libreswan server configuration for all the remote clients.
conn ipsec01
leftid=@libswan1.com<mailto:leftid=@libswan1.com>
rightsubnet=10.10.0.1/32
Question 2: Also when we set the "rightsubnet=0.0.0.0/0" (on the libreswan Server) the IPSec fail due to :
The first IPSec 01 connection is successful but the second IPSec 02 phase 2 fails and throws following error:
>> psec02"[1] 10.11.0.2 #10: cannot install eroute -- it is in use for "ipsec01"[7] 10.11.0.1 #11
Mar 9 15:55:33.178415: | delete inbound eroute 0.0.0.0/0:0 --0-> 0.0.0.0/0:0 => unk255.10000 at 10.11.251.252<mailto:unk255.10000 at 10.11.251.252> (raw_eroute)
conn ipsec01
leftid=@libswan1.com<mailto:leftid=@libswan1.com>
rightsubnet=10.10.0.1/32
Due to the above two limitation we have to define a conn: block on the libreswan server for every remote side client which we are trying to avoid.
[cid:image002.png at 01D5F637.3A29CDB0]
Attached Config:
Libreswan VPN Server for remote clients:
config setup
protostack=netkey
uniqueids=no
conn %default
ike=aes256-sha1-modp2048
esp=aes256-sha1-modp2048
ikelifetime=24h
lifetime=24h
authby=secret
left=10.11.251.252
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
mobike=no
replay-window=0
nic-offload=auto
type=tunnel
auto=start
vti-interface=vti-ipip
vti-routing=yes
vti-shared=yes
mark=5/0xffffffff
#overlapip=yes
conn ipsec01
leftid=@libswan1.com<mailto:leftid=@libswan1.com>
rightsubnet=10.10.0.1/32
conn ipsec02
leftid=@libswan2.com<mailto:leftid=@libswan2.com>
rightsubnet=10.10.0.2/32
Strongswan Remote Client Config:
config setup
charondebug="ike 0, knl 0, cfg 0"
uniqueids=no
conn %default
ike=aes256-sha1-modp2048
esp=aes256-sha1-modp2048
keyexchange=ikev2
ikelifetime=24h
lifetime=24h
leftauth=psk
right=10.11.251.252
rightsubnet=10.12.0.0/16
rightauth=psk
replay_window=0
type=tunnel
auto=start
conn ipsec01
left=10.11.0.1
leftid=@strswan1.com<mailto:leftid=@strswan1.com>
rightid=@libswan1.com<mailto:rightid=@libswan1.com>
leftsubnet=10.10.0.1/32
conn ipsec02
left=10.11.0.2
leftid=@strswan2.com<mailto:leftid=@strswan2.com>
rightid=@libswan2.com<mailto:rightid=@libswan2.com>
leftsubnet=10.10.0.2/32
-Ravin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200309/204ad54c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 60847 bytes
Desc: image001.png
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200309/204ad54c/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 74641 bytes
Desc: image002.png
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200309/204ad54c/attachment-0003.png>
More information about the Swan
mailing list