[Swan] VPN server for multiple clients with fixed IPs

Brady Johnson bradyjoh at redhat.com
Thu Mar 31 11:26:11 EEST 2022 

Hello,

I would like to do "VPN server for remote clients using IKEv2" [0] for
multiple clients, but with fixed client IPs. Currently I set the
"rightsubnet=0.0.0.0/0", but I would prefer to be able to specify a
different rightsubnet for each client, is this possible?

I tried with the configurations below, and get this error in the pluto.log:

    Mar 31 03:52:48.471606: "vpn_server_tunnel"[2] 10.10.16.6 #6: cannot
route -- route already in use for "vpn_server_tunnel"[1] 10.10.15.5

VPN server config:

conn vpn_server_tunnel
    left=10.10.8.8
    leftid=@vpnserver08.lab.com
    leftsubnet=10.10.10.0/24
    leftrsasigkey=%cert
    leftcert=vpnserver08.lab.com
    leftsendcert=always

    right=%any
    rightrsasigkey=%cert
    rightid=%fromcert
    rightca=%same
    rightsubnet=0.0.0.0/0

    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    auto=add
    ikev2=insist
    rekey=no
    fragmentation=yes
    ike=aes256-sha2
    esp=aes256-sha2_512-dh14
    authby=rsa-sha2_512
    ikelifetime=86400s
    salifetime=3600s

First client config:

conn vpn_client_tunnel
    left=10.10.8.8
    leftid=@vpnserver08.lab.com
    leftsubnet=10.10.10.0/24
    leftrsasigkey=%cert
    leftmodecfgclient=yes

    right=10.10.15.5
    rightrsasigkey=%cert
    rightid=%fromcert
    rightsubnet=0.0.0.0/0
    rightcert=vpnclientha05.lab.com

    narrowing=yes
    ikev2=insist
    rekey=yes
    fragmentation=yes
    mobike=yes
    auto=start
    ike=aes256-sha2
    esp=aes256-sha2_512-dh14
    authby=rsa-sha2_512
    ikelifetime=86400s
    salifetime=3600s

Second client config (same, just showing differences)

conn vpn_client_tunnel
    right=10.10.16.6
    rightcert=vpnclientha06.lab.com

Complete log for 2nd client connection attempt:

Mar 31 03:52:48.411778: "vpn_server_tunnel"[2] 10.10.16.6: local IKE
proposals (IKE SA responder matching remote proposals):
Mar 31 03:52:48.411818: "vpn_server_tunnel"[2] 10.10.16.6:
1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519
Mar 31 03:52:48.411832: "vpn_server_tunnel"[2] 10.10.16.6 #4: proposal
1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from
remote proposals
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match]
Mar 31 03:52:48.413657: "vpn_server_tunnel"[2] 10.10.16.6 #4: sent
IKE_SA_INIT reply {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP2048}
Mar 31 03:52:48.442285: "vpn_server_tunnel"[2] 10.10.16.6 #5: proposal
1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from
remote proposals
1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match]
Mar 31 03:52:48.444040: "vpn_server_tunnel"[2] 10.10.16.6 #5: sent
IKE_SA_INIT reply {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128
prf=HMAC_SHA2_256 group=MODP2048}
Mar 31 03:52:48.459749: "vpn_server_tunnel"[2] 10.10.16.6 #5: processing
decrypted IKE_AUTH request: SK{IDi,CERT,IDr,AUTH,SA,TSi,TSr,N}
Mar 31 03:52:48.461220: "vpn_server_tunnel"[2] 10.10.16.6 #5: authenticated
using RSA with SHA2_512 and peer certificate 'CN=vpnclientha06.lab.com,
O=LAB' issued by CA 'CN=LAB CA, O=LAB'
Mar 31 03:52:48.471425: "vpn_server_tunnel"[2] 10.10.16.6: local ESP/AH
proposals (IKE_AUTH responder matching remote ESP/AH proposals):
Mar 31 03:52:48.471445: "vpn_server_tunnel"[2] 10.10.16.6:
1:ESP=AES_CBC_256-HMAC_SHA2_512_256-NONE-DISABLED
Mar 31 03:52:48.471454: "vpn_server_tunnel"[2] 10.10.16.6 #6: proposal
1:ESP=AES_CBC_256-HMAC_SHA2_512_256-DISABLED SPI=26149080 chosen from
remote proposals
1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;ESN=DISABLED[first-match]
Mar 31 03:52:48.471606: "vpn_server_tunnel"[2] 10.10.16.6 #6: cannot route
-- route already in use for "vpn_server_tunnel"[1] 10.10.15.5
Mar 31 03:52:48.471648: "vpn_server_tunnel"[2] 10.10.16.6 #6: encountered
fatal error in state STATE_V2_IKE_AUTH_CHILD_R0
Mar 31 03:52:48.471680: "vpn_server_tunnel"[2] 10.10.16.6 #5: deleting
other state #6 (STATE_V2_IKE_AUTH_CHILD_R0) aged 0.00027s and NOT sending
notification
Mar 31 03:52:48.471719: "vpn_server_tunnel"[2] 10.10.16.6 #6: ERROR:
netlink response for Del SA esp.26149080 at 10.10.16.6 included errno 3: No
such process
Mar 31 03:52:48.471795: "vpn_server_tunnel"[2] 10.10.16.6 #5: deleting
state (STATE_V2_ESTABLISHED_IKE_SA) aged 0.029566s and NOT sending
notification
Mar 31 03:52:48.471719: "vpn_server_tunnel"[2] 10.10.16.6 #6: ERROR:
netlink response for Del SA esp.26149080 at 10.10.16.6 included errno 3: No
such process
Mar 31 03:52:48.471795: "vpn_server_tunnel"[2] 10.10.16.6 #5: deleting
state (STATE_V2_ESTABLISHED_IKE_SA) aged 0.029566s and NOT sending
notification

[0] https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2

Regards,

*Brady Johnson*
Principal Software Engineer
Telco Solutions & Enablement
brady.johnson at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220331/108ed15e/attachment.htm>

More information about the Swan mailing list