[Swan] Understanding left/rightsubnet for "VPN server for remote clients using IKEv2"

Brady Johnson bradyjoh at redhat.com
Sun Mar 27 15:37:26 EEST 2022 

Hello,

I am trying to configure a VPN IPSec server and client using Libreswan
according to [0].

For the VPN server, I am using RHEL 8.5 with the following Libreswan
version:

$ ipsec --version
Linux Libreswan 4.4 (netkey) on 4.18.0-348.12.2.el8_5.x86_64


For the VPN client, I am using the following:

Red Hat Enterprise Linux CoreOS release 4.8
$ uname -r
4.18.0-305.10.2.el8_4.x86_64
$ ipsec --version
Linux Libreswan 4.4 (netkey) on 4.18.0-305.10.2.el8_4.x86_64


Since CoreOS is immutable, I am using Libreswan via a privileged
network=host container.

My specific questions are related to how the left/rightsubnet(s) works.

1) Am I correct in my understanding that the rightsubnet (and rightsubnets)
on the VPN client is for policies to determine which layer 3 traffic on the
VPN client will be sent through the IPSec tunnel?

1a) If this assumption is correct, are there any relationships between
leftsubnet(s) (on the VPN server or client) and VPN client rightsubnet(s)?
I ask because sometimes I get TS_UNACCEPTABLE on the VPN client when
establishing the IPSec tunnel, and I cant really figure out what causes it,
but it seems to be due to some invalide combination of the left/right
subnets.

2) What role does the leftsubnet (and leftsubnets) play in the VPN client
configuration? The leftsubnet was already specified on the server side, why
does it need to be repeated in the client side configuration? What if it is
different in the client configuration?

3) In the [0] document, I see that it sets the subnet to 0, like this:
"leftsubnet=0.0.0.0/0". What exactly does this mean? I may be mistaken, but
I thought I read in one of the documents that it means "all traffic". But,
based on my testing, it seems to mean "no traffic".

Here are the client/server configurations Im using:

conn vpn_server_tunnel
    left=10.10.3.8
    leftid=@vpn_server_fqdn
    leftsubnet=10.10.3.0/24
    leftrsasigkey=%cert
    leftcert=vpn_server_fqdn
    leftsendcert=always

    # Clients
    right=%any
    rightrsasigkey=%cert
    rightid=%fromcert
    rightca=%same
    # Not using DHCP for clients

    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    auto=add
    ikev2=insist
    rekey=no
    fragmentation=yes
    ike=aes256-sha2
    esp=aes256-sha2_512-dh14
    authby=rsa-sha2_512
    ikelifetime=86400s
    salifetime=3600s

conn vpn_client_tunnel
    left=10.10.3.8
    leftid=@vpn_server_fqdn
    leftsubnet=10.10.3.0/24
    leftrsasigkey=%cert
    leftmodecfgclient=yes

    # For now the client/server are in the same subnet, but that will change
    right=10.10.3.5
    rightrsasigkey=%cert
    rightid=%fromcert
    rightsubnet=10.10.3.0/24
    rightcert=vpn_client_fqdn

    ikev2=insist
    rekey=yes
    fragmentation=yes
    mobike=yes
    auto=start
    ike=aes256-sha2
    esp=aes256-sha2_512-dh14
    authby=rsa-sha2_512
    ikelifetime=86400s
    salifetime=3600s


[0] https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2

Regards,

*Brady Johnson*
brady.johnson at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220327/bab55207/attachment.htm>

More information about the Swan mailing list