[Swan] Fwd: FW: Setting up LibreSwan VPN router for remote clients

Ravinder Yadav ravinsaya at gmail.com
Tue Mar 10 15:11:23 UTC 2020 

*WARNING:* The sender of this email could not be validated and may not
match the person in the "From" field.

***EXTERNAL EMAIL***





Objective of the Libreswan server setup :

   1. Dialup VPN server for remote clients .
   2. Each remote client has preconfigured data path subnets for IPSEC
   traffic .
      1. The subnet is part of the Phase2 selector for traffic .
      2. We want to avoid pre-configuration of this subnet (shown below) on
      the server side since we’re trying to scale this against thousands of
      remotes and many vpn servers
   3. Individual VTI for each remote client subnet – this is preferred



*Test Setup:*





[image: cid:image001.png at 01D5F637.3A29CDB0]

*Question 1:* Is there a way we can have only one "leftid" for the all
the remote
clients (strongswan)?

>> One conn block on the libreswan server configuration for all the remote
clients.



conn ipsec01

        leftid=@libswan1.com

        rightsubnet=10.10.0.1/32

*Question 2:* Also when we set the "rightsubnet=0.0.0.0/0" (on the
libreswan Server) the IPSec fail due to :

The first IPSec 01 connection is successful but the second IPSec 02 phase 2
fails and throws following error:

>> psec02"[1] 10.11.0.2 #10: cannot install eroute -- it is in use for
"ipsec01"[7] 10.11.0.1 #11
Mar  9 15:55:33.178415: | delete inbound eroute 0.0.0.0/0:0 --0->
0.0.0.0/0:0 => unk255.10000 at 10.11.251.252 (raw_eroute)



conn ipsec01

        leftid=@libswan1.com

        rightsubnet=10.10.0.1/32





*Due to the above two limitation we have to define a conn: block on the
libreswan server for every remote side client which we are trying to avoid.*





[image: cid:image002.png at 01D5F637.3A29CDB0]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200310/8969f988/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 60847 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200310/8969f988/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 74641 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200310/8969f988/attachment-0003.png>
-------------- next part --------------
_______________________________________________
Swan-dev mailing list
Swan-dev at lists.libreswan.org
https://urldefense.com/v3/__https://lists.libreswan.org/mailman/listinfo/swan-dev__;!!Emaut56SYw!gWHzqtQietW18t8MWL7hsJ4ngFc2-usuCrvnaQnzi5DQk5mVzQgvPu6-lFyQTLg4OhlY$

More information about the Swan mailing list