[Swan] libreswan inside local network with NAT (left) - MacOS roadwarrior (right)

Rodrigo Gruppelli grupis at gmail.com
Thu Nov 3 21:19:23 EET 2022 

Hey Paul, thanks for your answer...

Em dom., 30 de out. de 2022 às 19:42, Paul Wouters <paul at nohats.ca>
escreveu:

> Yes, use the IKEv2 road warrior setup examples and forward port 500,4500
> UDP.
>

You're talking about this example?
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2

Below is the configuration I wrote... based on my scenario described in the
first email, is it correct?

When I create the VPN connection inside the MacOS Network Preferences,
inside authentication settings, I have the following options, but I can
make no sense of any:
- user authentication: then it asks the username and password. What
user/pass?
- certificate authentication: then it shows 2 certificates to choose:
com.apple.systemdefault and com.apple.kerberos.kdc ....
- none: then it shows a field for a pre-shared key... (what pre-shared
key?) or to choose one of the certificates above.

Am I missing some information? I'm kind of lost here...
Could you explain the steps with more details?

Cheers,
Rodrigo

conn ikev2-cp
        left=192.168.0.101
        leftcert=gruppelli
        leftid=@gruppelli
        leftsendcert=always
        leftsubnet=192.168.0.0/24
        leftrsasigkey=%cert

        right=%any
        rightaddresspool=192.168.0.1-192.168.0.254
        rightca=%same
        rightrsasigkey=%cert

        narrowing=yes
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        auto=add
        ikev2=insist
        rekey=no
        fragmentation=yes




> Sent using a virtual keyboard on a phone
>
> > On Oct 29, 2022, at 08:43, Rodrigo Gruppelli <grupis at gmail.com> wrote:
> >
> > Greetings!
> >
> > I would like to know if it’s possible to achieve this kind of setup:
> >
> > On the left side, there is my local network (192.168.0.0/24)
> >
> > - The libreswan server is inside this network (IP 192.168.0.120)
> > - The provider's router local IP is 192.168.0.1 and its external IP is
> valid but dynamic
> > - I use No-IP.org for dynamic DNS bindings
> > - I can tweak configuration inside provider’s router, to redirect
> external TCP/UDP ports to machines inside
> >
> > On the right side, I’d like to be able to establish a tunnel with my
> local network, wherever I am in the world, using a macbook, acessing
> whatever machine inside my local network.
> >
> > Is it possible to build a setup like this? What do I need to configure
> in ipsec.conf ?
> >
> > Cheers
> > Rodrigo
> >
> > _______________________________________________
> > Swan mailing list
> > Swan at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221103/74a6b8bc/attachment-0001.htm>

More information about the Swan mailing list