[Swan] Road warriors and dhcp

Alex mysqlstudent at gmail.com
Mon Jan 4 19:09:45 UTC 2021 

Hi Paul,

> > How does it then determine the default gateway and other stuff that would
> > normally be obtained by DHCP, such as an NTP server?
>
> Client and server agree on the src/dst parameters. eg the leftsubnet and
> rightsubnet options. If the vpn client receives a remote subnet of
> 0.0.0.0/0 it sends all traffic over the tunnel. If it receives a smaller
> subnet, only traffic with that destination will go over the tunnel. For
> all traffic over the tunnel, the IP the libreswan server assigned to it
> is used (eg it appears to the client as leftsubnet=192.168.6.x/32)

Okay, adding leftsubnet=0.0.0.0/0 does enable me to ping the
192.168.6.1 gateway, but I can't reach the 192.168.1.0/24 internal
network.

I don't recall seeing that in the documentation. Where can I find how
this works? Of course your help here is also appreciated :-)

> > Listening on 192.168.6.0/24 on the VPN server shows no traffic, even when
> > trying to ping the gateway.
>
> Do you have IP forwarding enabled (in general via sysctl or via specific
> FORWARD rules) ?

Yes, shorewall appears to be taking care of that:
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
 630M 1126G br0_fwd    all  --  br0    *       0.0.0.0/0
0.0.0.0/0
 455M  900G int_frwd   all  --  eth1   *       0.0.0.0/0
0.0.0.0/0            policy match dir in pol none

There also aren't any reject/deny messages in the logs when trying to
reach the 192.168.1.0/24 network.

> > My eventual goal is to allow it to reach the 192.168.1.0/24 corporate LAN
> > from the 192.168.6.0/24 IP it's assigned so it can communicate with our
> > asterisk server.
>
> Do you have the VPN server handing out a leftsubnet=192.168.1.0/24 or
> leftsubnet=0.0.0.0/0 (with rightaddresspool=192.168.6.XXXXXXX)

It doesn't work when trying leftsubnet=192.168.1.0/24 or
leftsubnet=0.0.0.0/0. It just returns "request timed out." So when I
set leftsubnet=192.168.6.0/24 I can ping the gateway, but when I set
leftsubnet=192.168.1.0/24 or leftsubnet=0.0.0.0/0 I can't reach the
gateway or the 192.168.1.0/24 network.

conn ikev2-cp
    left=68.195.111.42
    leftcert=orion.example.com
    leftid=@68.195.111.42
    leftsendcert=always
    leftsubnet=192.168.1.0/24
    leftrsasigkey=%cert
    right=%any
    rightaddresspool=192.168.6.2-192.168.6.254
    rightca=%same
    rightrsasigkey=%cert
    modecfgdns=8.8.8.8,193.100.157.123
    narrowing=yes
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    auto=add
    ikev2=insist
    rekey=no
    fragmentation=yes
    esp=aes_gcm256-null,aes_gcm128-null,aes256-sha2_512,aes128-sha2_512,aes256-sha1,aes128-sha1,aes_gcm256-null

More information about the Swan mailing list