[Swan] Understanding left/rightsubnet for "VPN server for remote clients using IKEv2"
Brady Johnson
bradyjoh at redhat.com
Sun Mar 27 15:37:26 EEST 2022
Hello,
I am trying to configure a VPN IPSec server and client using Libreswan
according to [0].
For the VPN server, I am using RHEL 8.5 with the following Libreswan
version:
$ ipsec --version
Linux Libreswan 4.4 (netkey) on 4.18.0-348.12.2.el8_5.x86_64
For the VPN client, I am using the following:
Red Hat Enterprise Linux CoreOS release 4.8
$ uname -r
4.18.0-305.10.2.el8_4.x86_64
$ ipsec --version
Linux Libreswan 4.4 (netkey) on 4.18.0-305.10.2.el8_4.x86_64
Since CoreOS is immutable, I am using Libreswan via a privileged
network=host container.
My specific questions are related to how the left/rightsubnet(s) works.
1) Am I correct in my understanding that the rightsubnet (and rightsubnets)
on the VPN client is for policies to determine which layer 3 traffic on the
VPN client will be sent through the IPSec tunnel?
1a) If this assumption is correct, are there any relationships between
leftsubnet(s) (on the VPN server or client) and VPN client rightsubnet(s)?
I ask because sometimes I get TS_UNACCEPTABLE on the VPN client when
establishing the IPSec tunnel, and I cant really figure out what causes it,
but it seems to be due to some invalide combination of the left/right
subnets.
2) What role does the leftsubnet (and leftsubnets) play in the VPN client
configuration? The leftsubnet was already specified on the server side, why
does it need to be repeated in the client side configuration? What if it is
different in the client configuration?
3) In the [0] document, I see that it sets the subnet to 0, like this:
"leftsubnet=0.0.0.0/0". What exactly does this mean? I may be mistaken, but
I thought I read in one of the documents that it means "all traffic". But,
based on my testing, it seems to mean "no traffic".
Here are the client/server configurations Im using:
conn vpn_server_tunnel
left=10.10.3.8
leftid=@vpn_server_fqdn
leftsubnet=10.10.3.0/24
leftrsasigkey=%cert
leftcert=vpn_server_fqdn
leftsendcert=always
# Clients
right=%any
rightrsasigkey=%cert
rightid=%fromcert
rightca=%same
# Not using DHCP for clients
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
fragmentation=yes
ike=aes256-sha2
esp=aes256-sha2_512-dh14
authby=rsa-sha2_512
ikelifetime=86400s
salifetime=3600s
conn vpn_client_tunnel
left=10.10.3.8
leftid=@vpn_server_fqdn
leftsubnet=10.10.3.0/24
leftrsasigkey=%cert
leftmodecfgclient=yes
# For now the client/server are in the same subnet, but that will change
right=10.10.3.5
rightrsasigkey=%cert
rightid=%fromcert
rightsubnet=10.10.3.0/24
rightcert=vpn_client_fqdn
ikev2=insist
rekey=yes
fragmentation=yes
mobike=yes
auto=start
ike=aes256-sha2
esp=aes256-sha2_512-dh14
authby=rsa-sha2_512
ikelifetime=86400s
salifetime=3600s
[0] https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
Regards,
*Brady Johnson*
brady.johnson at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220327/bab55207/attachment.htm>
More information about the Swan
mailing list