[Swan] Road warriors and dhcp
Alex
mysqlstudent at gmail.com
Mon Jan 4 19:09:45 UTC 2021
Hi Paul,
> > How does it then determine the default gateway and other stuff that would
> > normally be obtained by DHCP, such as an NTP server?
>
> Client and server agree on the src/dst parameters. eg the leftsubnet and
> rightsubnet options. If the vpn client receives a remote subnet of
> 0.0.0.0/0 it sends all traffic over the tunnel. If it receives a smaller
> subnet, only traffic with that destination will go over the tunnel. For
> all traffic over the tunnel, the IP the libreswan server assigned to it
> is used (eg it appears to the client as leftsubnet=192.168.6.x/32)
Okay, adding leftsubnet=0.0.0.0/0 does enable me to ping the
192.168.6.1 gateway, but I can't reach the 192.168.1.0/24 internal
network.
I don't recall seeing that in the documentation. Where can I find how
this works? Of course your help here is also appreciated :-)
> > Listening on 192.168.6.0/24 on the VPN server shows no traffic, even when
> > trying to ping the gateway.
>
> Do you have IP forwarding enabled (in general via sysctl or via specific
> FORWARD rules) ?
Yes, shorewall appears to be taking care of that:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
630M 1126G br0_fwd all -- br0 * 0.0.0.0/0
0.0.0.0/0
455M 900G int_frwd all -- eth1 * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
There also aren't any reject/deny messages in the logs when trying to
reach the 192.168.1.0/24 network.
> > My eventual goal is to allow it to reach the 192.168.1.0/24 corporate LAN
> > from the 192.168.6.0/24 IP it's assigned so it can communicate with our
> > asterisk server.
>
> Do you have the VPN server handing out a leftsubnet=192.168.1.0/24 or
> leftsubnet=0.0.0.0/0 (with rightaddresspool=192.168.6.XXXXXXX)
It doesn't work when trying leftsubnet=192.168.1.0/24 or
leftsubnet=0.0.0.0/0. It just returns "request timed out." So when I
set leftsubnet=192.168.6.0/24 I can ping the gateway, but when I set
leftsubnet=192.168.1.0/24 or leftsubnet=0.0.0.0/0 I can't reach the
gateway or the 192.168.1.0/24 network.
conn ikev2-cp
left=68.195.111.42
leftcert=orion.example.com
leftid=@68.195.111.42
leftsendcert=always
leftsubnet=192.168.1.0/24
leftrsasigkey=%cert
right=%any
rightaddresspool=192.168.6.2-192.168.6.254
rightca=%same
rightrsasigkey=%cert
modecfgdns=8.8.8.8,193.100.157.123
narrowing=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
fragmentation=yes
esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null
More information about the Swan
mailing list