[Swan] LibreSwan Gateway Behind A Public IP Router
Nick Howitt
nick at howitts.co.uk
Tue Aug 16 17:47:52 EEST 2022
On 14/08/2022 20:16, Kumar P S Udai wrote:
> Dear Libre Team
>
> I have two CentOS Stream machines A and D with Libreswan 4.1 on both.
> Machine A is at HO and is already having a site-to-site VPN to two other
> remote sites, but machine D is at an upcoming location that is being
> setup. Machine D on which Libreswan is being setup is also acting as a
> Gateway and Firewall to that small LAN.
>
> Libreswan is being setup just like how it is done at other sites
> successfully except that there is one change at site D. At other
> locations the ISP's Internet connection terminates on the WAN interface
> of the CentOS machine which has the public IPs configured directly on
> it. However at site D, although it has both LAN and WAN interfaces, the
> Internet connection is not terminated on the CentOS machine. Instead it
> terminates on a Wireless router setup by the ISP at our premises and
> according to them, this is the only way to make it work.
>
> The LAN segment is 192.168.14.0/24 <http://192.168.14.0/24> and their
> default gateway is the CentOS machine which has the IP 192.168.14.129/24
> <http://192.168.14.129/24> on the LAN interface. The WAN interface has
> the IP 10.10.128.100/24 <http://10.10.128.100/24> and connects to the
> ISP's Wireless router which is on 10.10.128.1/24
> <http://10.10.128.1/24>. The Public IP W.X.Y.Z is configured on the WAN
> interface of the ISP's Wireless router.
>
> *On machine D*
>
> conn PLSUBNET
> also=PLUTO-EUROPA
> leftsubnet=192.168.14.0/24 <http://192.168.14.0/24>
> leftsourceip=192.168.14.129
> rightsubnet=192.168.1.0/24 <http://192.168.1.0/24>
> rightsourceip=192.168.1.1
> auto=start
> conn PLUTO-EUROPA
> type=tunnel
> left=W.X.Y.Z
> right=A.B.C.D
> authby=secret
> ikev2=insist
> pfs=no
> ike=aes256-sha2_512+sha2_256-dh21
> esp=aes256-sha2_512+sha1+sha2_256;dh21
> dpddelay=5
> dpdtimeout=120
> dpdaction=restart
> encapsulation=yes
>
> 000 "PLSUBNET": 192.168.14.0/24===W.X.Y.Z
> <http://192.168.14.0/24===W.X.Y.Z><W.X.Y.Z>...A.B.C.D<A.B.C.D>===192.168.1.0/24
> <http://192.168.1.0/24>; unrouted; eroute owner: #0
> 000 "PLSUBNET": unoriented; my_ip=192.168.14.129;
> their_ip=192.168.1.1; my_updown=ipsec _updown;
>
>
> *At the HO machine*
>
> conn PLUTOSUBNET
> also=EUROPA-PLUTO
> leftsubnet=192.168.14.0/24 <http://192.168.14.0/24>
> leftsourceip=192.168.14.129
> rightsubnet=192.168.1.0/24 <http://192.168.1.0/24>
> rightsourceip=192.168.1.1
> auto=start
> conn EUROPA-PLUTO
> type=tunnel
> left=W.X.Y.Z
> right=A.B.C.D
> authby=secret
> ikev2=insist
> pfs=no
> ike=aes256-sha2_512+sha2_256-dh21
> esp=aes256-sha2_512+sha1+sha2_256;dh21
> dpddelay=5
> dpdtimeout=120
> dpdaction=restart
> encapsulation=yes
> 000 "PLUTOSUBNET": 192.168.1.0/24===A.B.C.D
> <http://192.168.1.0/24===A.B.C.D><A.B.C.D>...W.X.Y.Z<W.X.Y.Z>===192.168.14.0/24
> <http://192.168.14.0/24>; unrouted; eroute owner: #0
> 000 "PLUTOSUBNET": oriented; my_ip=192.168.1.1;
> their_ip=192.168.14.129; my_updown=ipsec _updown;
>
> *FYI. The ISP's Wireless router has a rule to forward all incoming
> IPSEC traffic to the CentOS machine on 10.10.128.100*
>
> Thank you, Best regards
>
> Udai
>
Try setting a leftid and rightid and use them in the secrets file
preceded with an @ instead of (or as well as) the left/right IP. You can
use any string for the left/rightid, but they must agree at both ends.
Alternatively, on your HO machine, you will need to set leftid to
10.10.128.100.
Also, why use pfs=no?
Nick
More information about the Swan
mailing list