[Swan] LibreSwan Gateway Behind A Public IP Router

Kumar P S Udai kumar.udai at zuwissen.com
Sun Aug 14 22:16:43 EEST 2022


Dear Libre Team

I have two CentOS Stream machines A and D with Libreswan 4.1 on both.
Machine A is at HO and is already having a site-to-site VPN to two other
remote sites, but machine D is at an upcoming location that is being setup.
Machine D on which Libreswan is being setup is also acting as a Gateway and
Firewall to that small LAN.

Libreswan is being setup just like how it is done at other sites
successfully except that there is one change at site D. At other locations
the ISP's Internet connection terminates on the WAN interface of the CentOS
machine which has the public IPs configured directly on it.  However at
site D, although it has both LAN and WAN interfaces, the Internet
connection is not terminated on the CentOS machine.  Instead it terminates
on a Wireless router setup by the ISP at our premises and according to
them, this is the only way to make it work.

The LAN segment is 192.168.14.0/24 and their default gateway is the CentOS
machine which has the IP 192.168.14.129/24 on the LAN interface.  The WAN
interface has the IP 10.10.128.100/24 and connects to the ISP's Wireless
router which is on 10.10.128.1/24.  The Public IP W.X.Y.Z is configured on
the WAN interface of the ISP's Wireless router.

*On machine D*

conn PLSUBNET
also=PLUTO-EUROPA
leftsubnet=192.168.14.0/24
leftsourceip=192.168.14.129
rightsubnet=192.168.1.0/24
rightsourceip=192.168.1.1
auto=start
conn PLUTO-EUROPA
type=tunnel
left=W.X.Y.Z
right=A.B.C.D
authby=secret
ikev2=insist
pfs=no
ike=aes256-sha2_512+sha2_256-dh21
esp=aes256-sha2_512+sha1+sha2_256;dh21
dpddelay=5
dpdtimeout=120
dpdaction=restart
encapsulation=yes

000 "PLSUBNET": 192.168.14.0/24===W.X.Y.Z<W.X.Y.Z>...A.B.C.D<A.B.C.D>===
192.168.1.0/24; unrouted; eroute owner: #0
000 "PLSUBNET":     unoriented; my_ip=192.168.14.129; their_ip=192.168.1.1;
my_updown=ipsec _updown;


*At the HO machine*

conn PLUTOSUBNET
also=EUROPA-PLUTO
leftsubnet=192.168.14.0/24
leftsourceip=192.168.14.129
rightsubnet=192.168.1.0/24
rightsourceip=192.168.1.1
auto=start
conn EUROPA-PLUTO
type=tunnel
left=W.X.Y.Z
right=A.B.C.D
authby=secret
ikev2=insist
pfs=no
ike=aes256-sha2_512+sha2_256-dh21
esp=aes256-sha2_512+sha1+sha2_256;dh21
dpddelay=5
dpdtimeout=120
dpdaction=restart
encapsulation=yes
000 "PLUTOSUBNET": 192.168.1.0/24===A.B.C.D<A.B.C.D>...W.X.Y.Z<W.X.Y.Z>===
192.168.14.0/24; unrouted; eroute owner: #0
000 "PLUTOSUBNET":     oriented; my_ip=192.168.1.1;
their_ip=192.168.14.129; my_updown=ipsec _updown;

*FYI.  The ISP's Wireless router has a rule to forward all incoming IPSEC
traffic to the CentOS machine on 10.10.128.100*

Thank you, Best regards

Udai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220815/6ed012ea/attachment.htm>


More information about the Swan mailing list