[Swan] Understanding left/rightsubnet for "VPN server for remote clients using IKEv2"
Brady Johnson
bradyjoh at redhat.com
Tue Mar 29 19:24:15 EEST 2022
That does indeed work, thank you!
I have been following the "VPN server for remote clients using IKEv2"
config from [0]. There they only configure the "rightsubnet=" on the
client, but not on the server like I was doing.
Should this be considered a bug on that document?
[0] https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
Regards,
*Brady Johnson*
brady.johnson at redhat.com
On Tue, Mar 29, 2022 at 2:28 PM Tuomo Soini <tis at foobar.fi> wrote:
> On Tue, 29 Mar 2022 13:43:58 +0200
> Brady Johnson <bradyjoh at redhat.com> wrote:
>
> > The pluto.log in the server doesnt provide any more information. Why
> > do I get the TS_UNACCEPTABLE error?
>
> Right. That means your configurations don't match which is very obvious
> when looking at your configs below:
>
> >
> > Server and Client configurations:
> >
> > conn vpn_server_tunnel
> > left=10.10.8.8
> > leftid=@vpnserver08.lab.com
> > leftsubnet=10.10.10.0/24
> > leftrsasigkey=%cert
> > leftcert=vpnserver08.lab.com
> > leftsendcert=always
> >
> > right=%any
> > rightrsasigkey=%cert
> > rightid=%fromcert
> > rightca=%same
> >
> > dpddelay=30
> > dpdtimeout=120
> > dpdaction=clear
> > auto=add
> > ikev2=insist
> > rekey=no
> > fragmentation=yes
> > ike=aes256-sha2
> > esp=aes256-sha2_512-dh14
> > authby=rsa-sha2_512
> > ikelifetime=86400s
> > salifetime=3600s
>
> Note: rightsubnet= is missing from this config. add
> rightsubnet=10.10.50.0/24 and it should work. Likely you also need
> rightsourceip=<select-one-ip-from 10.10.50.0/24 subnet> if you want to
> communicate over the tunnel from IPsec endpoint.
>
> --
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <https://foobar.fi/>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220329/26c7a28d/attachment-0001.htm>
More information about the Swan
mailing list