[Swan] Setting up LibreSwan VPN router for remote clients

Yadav, Ravinder Ravinder.Yadav at hughes.com
Tue Mar 10 14:48:13 UTC 2020 

Objective of the Libreswan server setup :

  1.  Dialup VPN server for remote clients .
  2.  Each remote client has preconfigured data path subnets for IPSEC traffic .
     *   The subnet is part of the Phase2 selector for traffic .
     *   We want to avoid pre-configuration of this subnet (shown below) on the server side since we're trying to scale this against thousands of remotes and many vpn servers
  3.  Individual VTI for each remote client subnet - this is preferred

Test Setup:


[cid:image001.png at 01D5F637.3A29CDB0]
Question 1: Is there a way we can have only one "leftid" for the all the remote clients (strongswan)?
>> One conn block on the libreswan server configuration for all the remote clients.

conn ipsec01
        leftid=@libswan1.com<mailto:leftid=@libswan1.com>
        rightsubnet=10.10.0.1/32
Question 2: Also when we set the "rightsubnet=0.0.0.0/0" (on the libreswan Server) the IPSec fail due to :
The first IPSec 01 connection is successful but the second IPSec 02 phase 2 fails and throws following error:
>> psec02"[1] 10.11.0.2 #10: cannot install eroute -- it is in use for "ipsec01"[7] 10.11.0.1 #11
Mar  9 15:55:33.178415: | delete inbound eroute 0.0.0.0/0:0 --0-> 0.0.0.0/0:0 => unk255.10000 at 10.11.251.252<mailto:unk255.10000 at 10.11.251.252> (raw_eroute)

conn ipsec01
        leftid=@libswan1.com<mailto:leftid=@libswan1.com>
        rightsubnet=10.10.0.1/32


Due to the above two limitation we have to define a conn: block on the libreswan server for every remote side client which we are trying to avoid.


[cid:image002.png at 01D5F637.3A29CDB0]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200310/54eb74ce/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 60847 bytes
Desc: image001.png
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200310/54eb74ce/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 74641 bytes
Desc: image002.png
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200310/54eb74ce/attachment-0003.png>

More information about the Swan mailing list