[Swan] Road warriors and dhcp
mysqlstudent at gmail.com
Mon Jan 4 19:09:45 UTC 2021
> > How does it then determine the default gateway and other stuff that would
> > normally be obtained by DHCP, such as an NTP server?
> Client and server agree on the src/dst parameters. eg the leftsubnet and
> rightsubnet options. If the vpn client receives a remote subnet of
> 0.0.0.0/0 it sends all traffic over the tunnel. If it receives a smaller
> subnet, only traffic with that destination will go over the tunnel. For
> all traffic over the tunnel, the IP the libreswan server assigned to it
> is used (eg it appears to the client as leftsubnet=192.168.6.x/32)
Okay, adding leftsubnet=0.0.0.0/0 does enable me to ping the
192.168.6.1 gateway, but I can't reach the 192.168.1.0/24 internal
I don't recall seeing that in the documentation. Where can I find how
this works? Of course your help here is also appreciated :-)
> > Listening on 192.168.6.0/24 on the VPN server shows no traffic, even when
> > trying to ping the gateway.
> Do you have IP forwarding enabled (in general via sysctl or via specific
> FORWARD rules) ?
Yes, shorewall appears to be taking care of that:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
630M 1126G br0_fwd all -- br0 * 0.0.0.0/0
455M 900G int_frwd all -- eth1 * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
There also aren't any reject/deny messages in the logs when trying to
reach the 192.168.1.0/24 network.
> > My eventual goal is to allow it to reach the 192.168.1.0/24 corporate LAN
> > from the 192.168.6.0/24 IP it's assigned so it can communicate with our
> > asterisk server.
> Do you have the VPN server handing out a leftsubnet=192.168.1.0/24 or
> leftsubnet=0.0.0.0/0 (with rightaddresspool=192.168.6.XXXXXXX)
It doesn't work when trying leftsubnet=192.168.1.0/24 or
leftsubnet=0.0.0.0/0. It just returns "request timed out." So when I
set leftsubnet=192.168.6.0/24 I can ping the gateway, but when I set
leftsubnet=192.168.1.0/24 or leftsubnet=0.0.0.0/0 I can't reach the
gateway or the 192.168.1.0/24 network.
More information about the Swan