[Swan] Understanding left/rightsubnet for "VPN server for remote clients using IKEv2"
Brady Johnson
bradyjoh at redhat.com
Tue Mar 29 14:43:58 EEST 2022
Thanks again for the info.
Originally I oversimplified my testing setup way too much. I just
reconfigured everything on separate subnets, etc.
Server:
physical interface IP used for IPSec: 10.10.3.8/24
vpn server tunnel endpoint IP: 10.10.8.8/24
private subnet on server: 10.10.10.0/24
Client:
physical interface IP used for IPSec: 10.10.5.5/24
vpn client tunnel endpoint IP: 10.10.15.5/24
private subnet on client: 10.10.50.0/24
>From the client, I can ping the server VPN tunnel endpoint IP, so the
connectivity and routing is working.
(I know, there are way too many 10's in these IPs ;) )
The configuration below with "rightsubnet=10.10.50.0/24" in the client
config gives the TS_UNACCEPTABLE error. But when I configure the client
with "rightsubnet=10.10.15.5/32" (the right IP) then I dont get the
TS_UNACCEPTABLE error, but of course this is not the configuration I want.
TS_UNACCEPTABLE error:
182 "vpn_client_tunnel" #2: sent IKE_AUTH request {auth=IKEv2
cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048}
002 "vpn_client_tunnel" #3: IKE_AUTH response contained the error
notification TS_UNACCEPTABLE
The pluto.log in the server doesnt provide any more information. Why do I
get the TS_UNACCEPTABLE error?
Server and Client configurations:
conn vpn_server_tunnel
left=10.10.8.8
leftid=@vpnserver08.lab.com
leftsubnet=10.10.10.0/24
leftrsasigkey=%cert
leftcert=vpnserver08.lab.com
leftsendcert=always
right=%any
rightrsasigkey=%cert
rightid=%fromcert
rightca=%same
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
fragmentation=yes
ike=aes256-sha2
esp=aes256-sha2_512-dh14
authby=rsa-sha2_512
ikelifetime=86400s
salifetime=3600s
conn vpn_client_tunnel
left=10.10.8.8
leftid=@vpnserver08.lab.com
leftsubnet=10.10.10.0/24
leftrsasigkey=%cert
right=10.10.15.5
rightrsasigkey=%cert
rightid=%fromcert
rightsubnet=10.10.50.0/24
rightcert=vpnclientha05.lab.com
ikev2=insist
rekey=yes
fragmentation=yes
mobike=yes
auto=start
ike=aes256-sha2
esp=aes256-sha2_512-dh14
authby=rsa-sha2_512
ikelifetime=86400s
salifetime=3600s
Regards,
*Brady Johnson*
brady.johnson at redhat.com
On Mon, Mar 28, 2022 at 3:18 PM Tuomo Soini <tis at foobar.fi> wrote:
> On Mon, 28 Mar 2022 11:47:07 +0200
> Brady Johnson <bradyjoh at redhat.com> wrote:
>
> > Tuomi,
> >
> > Thank you for your reply.
> >
> > I will put the client on a different subnet, but as it is now it is
> > creating a working tunnel between the 2 hosts.
>
> No. server and client being in same subnet is not your issue - the
> protected subnets are your issue - you need to understand basic
> networking - IPsec is policy based but still network connection must be
> routable. So you must have different subnets on different ends of the
> tunnel.
>
> about 0.0.0.0/0 - that is default route.
>
> --
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <https://foobar.fi/>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220329/69874ed5/attachment.htm>
More information about the Swan
mailing list