[Swan] Understanding left/rightsubnet for "VPN server for remote clients using IKEv2"

Brady Johnson bradyjoh at redhat.com
Tue Mar 29 19:24:15 EEST 2022


That does indeed work, thank you!

I have been following the "VPN server for remote clients using IKEv2"
config from [0]. There they only configure the "rightsubnet=" on the
client, but not on the server like I was doing.

Should this be considered a bug on that document?

[0] https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2

Regards,

*Brady Johnson*
brady.johnson at redhat.com



On Tue, Mar 29, 2022 at 2:28 PM Tuomo Soini <tis at foobar.fi> wrote:

> On Tue, 29 Mar 2022 13:43:58 +0200
> Brady Johnson <bradyjoh at redhat.com> wrote:
>
> > The pluto.log in the server doesnt provide any more information. Why
> > do I get the TS_UNACCEPTABLE error?
>
> Right. That means your configurations don't match which is very obvious
> when looking at your configs below:
>
> >
> > Server and Client configurations:
> >
> > conn vpn_server_tunnel
> >     left=10.10.8.8
> >     leftid=@vpnserver08.lab.com
> >     leftsubnet=10.10.10.0/24
> >     leftrsasigkey=%cert
> >     leftcert=vpnserver08.lab.com
> >     leftsendcert=always
> >
> >     right=%any
> >     rightrsasigkey=%cert
> >     rightid=%fromcert
> >     rightca=%same
> >
> >     dpddelay=30
> >     dpdtimeout=120
> >     dpdaction=clear
> >     auto=add
> >     ikev2=insist
> >     rekey=no
> >     fragmentation=yes
> >     ike=aes256-sha2
> >     esp=aes256-sha2_512-dh14
> >     authby=rsa-sha2_512
> >     ikelifetime=86400s
> >     salifetime=3600s
>
> Note: rightsubnet= is missing from this config. add
> rightsubnet=10.10.50.0/24 and it should work. Likely you also need
> rightsourceip=<select-one-ip-from 10.10.50.0/24 subnet> if you want to
> communicate over the tunnel from IPsec endpoint.
>
> --
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <https://foobar.fi/>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220329/26c7a28d/attachment-0001.htm>


More information about the Swan mailing list