[Swan] Incorrect XFRM policy with dynamic client IPs
Paul Wouters
paul at nohats.ca
Tue Feb 14 16:31:46 EET 2023
On Tue, 14 Feb 2023, Brady Johnson wrote:
> Why do the policies get created differently?
I think a configuration issue.
> Server config with address pool:
> -------------------------------------------
>
> conn vpnserver.dl110-05.xyz.com
> # right is remote(client), left is local(server)
> left=192.168.43.55
> leftid="O=XYZ,CN=vpnserver.dl110-05.xyz.com"
> leftsubnet=172.16.2.55/24
> leftrsasigkey=%cert
> leftcert=vpnserver.dl110-05.xyz.com
> leftsendcert=always
>
> # Clients
> right=%any
> rightrsasigkey=%cert
> rightid=%fromcert
> rightca=%same
> rightsubnet=0.0.0.0/0
> rightaddresspool="172.16.111.10-172.16.111.99"
here rightsubnet should not be used because rightaddresspool is in use.
The right (client) subnet is supposed to be the 1 IP address.
It probably ignored rightsubnet= for you.
> Server config with static client IP:
> --------------------------------------------
>
> conn vpnserver.dl110-05.xyz.com
> left=192.168.43.55
> leftid="O=XYZ,CN=vpnserver.dl110-05.xyz.com"
> leftsubnet=172.16.2.55/24
> leftrsasigkey=%cert
> leftcert=vpnserver.dl110-05.xyz.com
> leftsendcert=always
>
> # Clients
> right=%any
> rightrsasigkey=%cert
> rightid=%fromcert
> rightca=%same
> rightsubnet=0.0.0.0/0
Now 0.0.0.0/0 lives on the client, not the server. So likely your server
is losing internet connectivity. You would want to use rightsubnet=172.16.111.10/32
Paul
More information about the Swan
mailing list