[Swan] Understanding left/rightsubnet for "VPN server for remote clients using IKEv2"
Tuomo Soini
tis at foobar.fi
Tue Mar 29 15:28:35 EEST 2022
On Tue, 29 Mar 2022 13:43:58 +0200
Brady Johnson <bradyjoh at redhat.com> wrote:
> The pluto.log in the server doesnt provide any more information. Why
> do I get the TS_UNACCEPTABLE error?
Right. That means your configurations don't match which is very obvious
when looking at your configs below:
>
> Server and Client configurations:
>
> conn vpn_server_tunnel
> left=10.10.8.8
> leftid=@vpnserver08.lab.com
> leftsubnet=10.10.10.0/24
> leftrsasigkey=%cert
> leftcert=vpnserver08.lab.com
> leftsendcert=always
>
> right=%any
> rightrsasigkey=%cert
> rightid=%fromcert
> rightca=%same
>
> dpddelay=30
> dpdtimeout=120
> dpdaction=clear
> auto=add
> ikev2=insist
> rekey=no
> fragmentation=yes
> ike=aes256-sha2
> esp=aes256-sha2_512-dh14
> authby=rsa-sha2_512
> ikelifetime=86400s
> salifetime=3600s
Note: rightsubnet= is missing from this config. add
rightsubnet=10.10.50.0/24 and it should work. Likely you also need
rightsourceip=<select-one-ip-from 10.10.50.0/24 subnet> if you want to
communicate over the tunnel from IPsec endpoint.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
More information about the Swan
mailing list