[Swan] Incorrect XFRM policy with dynamic client IPs

Brady Johnson bradyjoh at redhat.com
Tue Feb 14 17:34:26 EET 2023 

Paul,

Thanks for the info.

I tried your suggestion and I still get the same result. First I removed
the "rightsubnet=0.0.0.0/0" from the server config, and then got "IKE_AUTH
response rejected Child SA with TS_UNACCEPTABLE" when starting the client,
so I also removed "leftsubnet=0.0.0.0/0" from the client config, but the
client-side xfrm policies are the same as before.

Here are the relevant configs:

Server:
---------
    ...
    # Clients
    right=%any
    rightrsasigkey=%cert
    rightid=%fromcert
    rightca=%same
    rightaddresspool="172.16.111.10-172.16.111.99"
    leftmodecfgserver=yes
    ...

Client:
---------
    ...
    left=172.16.1.10
    leftrsasigkey=%cert
    leftid="O=XYZ,CN=vpnclient.dl110-00.xyz.com"
    leftcert=vpnclient.dl110-00.xyz.com
    leftupdown="/bin/ipsec_tunnel_tool_updown.xfrm.sh"
    leftmodecfgclient=yes
    ...


Regards,


*Brady Johnson*
Principal Software Engineer
Telco Solutions & Enablement
brady.johnson at redhat.com



On Tue, Feb 14, 2023 at 3:40 PM Paul Wouters <paul at nohats.ca> wrote:

> On Tue, 14 Feb 2023, Brady Johnson wrote:
>
> > Why do the policies get created differently?
>
> I think a configuration issue.
>
> > Server config with address pool:
> > -------------------------------------------
> >
> > conn vpnserver.dl110-05.xyz.com
> >     # right is remote(client), left is local(server)
> >     left=192.168.43.55
> >     leftid="O=XYZ,CN=vpnserver.dl110-05.xyz.com"
> >     leftsubnet=172.16.2.55/24
> >     leftrsasigkey=%cert
> >     leftcert=vpnserver.dl110-05.xyz.com
> >     leftsendcert=always
> >
> >     # Clients
> >     right=%any
> >     rightrsasigkey=%cert
> >     rightid=%fromcert
> >     rightca=%same
> >     rightsubnet=0.0.0.0/0
> >     rightaddresspool="172.16.111.10-172.16.111.99"
>
> here rightsubnet should not be used because rightaddresspool is in use.
> The right (client) subnet is supposed to be the 1 IP address.
> It probably ignored rightsubnet= for you.
>
> > Server config with static client IP:
> > --------------------------------------------
> >
> > conn vpnserver.dl110-05.xyz.com
> >     left=192.168.43.55
> >     leftid="O=XYZ,CN=vpnserver.dl110-05.xyz.com"
> >     leftsubnet=172.16.2.55/24
> >     leftrsasigkey=%cert
> >     leftcert=vpnserver.dl110-05.xyz.com
> >     leftsendcert=always
> >
> >     # Clients
> >     right=%any
> >     rightrsasigkey=%cert
> >     rightid=%fromcert
> >     rightca=%same
> >     rightsubnet=0.0.0.0/0
>
> Now 0.0.0.0/0 lives on the client, not the server. So likely your server
> is losing internet connectivity. You would want to use rightsubnet=
> 172.16.111.10/32
>
> Paul
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230214/94442439/attachment-0001.htm>

More information about the Swan mailing list