[Swan] Road warriors and dhcp

Paul Wouters paul at nohats.ca
Mon Jan 4 04:31:04 UTC 2021


On Sun, 3 Jan 2021, Alex Regan wrote:

>>  Correct. libreswan does not consult a DHCP server. It assumes it has
>>  full authority to assign anything from its given addresspool.
>
> How does it then determine the default gateway and other stuff that would 
> normally be obtained by DHCP, such as an NTP server?

Client and server agree on the src/dst parameters. eg the leftsubnet and
rightsubnet options. If the vpn client receives a remote subnet of
0.0.0.0/0 it sends all traffic over the tunnel. If it receives a smaller
subnet, only traffic with that destination will go over the tunnel. For
all traffic over the tunnel, the IP the libreswan server assigned to it
is used (eg it appears to the client as leftsubnet=192.168.6.x/32)

> I'm also using shorewall on this network, but it operates based on "ipsec", 
> not a specific network.

Maybe Tuomo can shed light on that.

> Listening on 192.168.6.0/24 on the VPN server shows no traffic, even when 
> trying to ping the gateway.

Do you have IP forwarding enabled (in general via sysctl or via specific
FORWARD rules) ?

> Here is the routing table from the Windows PC after the VPN is connected, 
> using a tether connection on my cell. I've stripped off the Metric field to 
> make it more legible.
>
> Active Routes:
> Network Destination        Netmask          Gateway       Interface
>           0.0.0.0          0.0.0.0     192.168.43.1   192.168.43.203
>     68.195.193.42  255.255.255.255     192.168.43.1   192.168.43.203
>         127.0.0.0        255.0.0.0         On-link         127.0.0.1
>         127.0.0.1  255.255.255.255         On-link         127.0.0.1
>   127.255.255.255  255.255.255.255         On-link         127.0.0.1
>       192.168.6.0    255.255.255.0         On-link       192.168.6.2
>       192.168.6.2  255.255.255.255         On-link       192.168.6.2
>     192.168.6.255  255.255.255.255         On-link       192.168.6.2

I'm assuming these would go over the tunnel.

> When I built a subnet-to-subnet VPN some time ago, it was necessary to create 
> another connection to allow remote hosts to access individual hosts on the 
> local network. Is that not necessary here?

No. that is a different thing.

> My eventual goal is to allow it to reach the 192.168.1.0/24 corporate LAN 
> from the 192.168.6.0/24 IP it's assigned so it can communicate with our 
> asterisk server.

Do you have the VPN server handing out a leftsubnet=192.168.1.0/24 or
leftsubnet=0.0.0.0/0 (with rightaddresspool=192.168.6.XXXXXXX)

Paul


More information about the Swan mailing list