[Swan] Incorrect XFRM policy with dynamic client IPs
Brady Johnson
bradyjoh at redhat.com
Tue Feb 14 17:34:26 EET 2023
Paul,
Thanks for the info.
I tried your suggestion and I still get the same result. First I removed
the "rightsubnet=0.0.0.0/0" from the server config, and then got "IKE_AUTH
response rejected Child SA with TS_UNACCEPTABLE" when starting the client,
so I also removed "leftsubnet=0.0.0.0/0" from the client config, but the
client-side xfrm policies are the same as before.
Here are the relevant configs:
Server:
---------
...
# Clients
right=%any
rightrsasigkey=%cert
rightid=%fromcert
rightca=%same
rightaddresspool="172.16.111.10-172.16.111.99"
leftmodecfgserver=yes
...
Client:
---------
...
left=172.16.1.10
leftrsasigkey=%cert
leftid="O=XYZ,CN=vpnclient.dl110-00.xyz.com"
leftcert=vpnclient.dl110-00.xyz.com
leftupdown="/bin/ipsec_tunnel_tool_updown.xfrm.sh"
leftmodecfgclient=yes
...
Regards,
*Brady Johnson*
Principal Software Engineer
Telco Solutions & Enablement
brady.johnson at redhat.com
On Tue, Feb 14, 2023 at 3:40 PM Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 14 Feb 2023, Brady Johnson wrote:
>
> > Why do the policies get created differently?
>
> I think a configuration issue.
>
> > Server config with address pool:
> > -------------------------------------------
> >
> > conn vpnserver.dl110-05.xyz.com
> > # right is remote(client), left is local(server)
> > left=192.168.43.55
> > leftid="O=XYZ,CN=vpnserver.dl110-05.xyz.com"
> > leftsubnet=172.16.2.55/24
> > leftrsasigkey=%cert
> > leftcert=vpnserver.dl110-05.xyz.com
> > leftsendcert=always
> >
> > # Clients
> > right=%any
> > rightrsasigkey=%cert
> > rightid=%fromcert
> > rightca=%same
> > rightsubnet=0.0.0.0/0
> > rightaddresspool="172.16.111.10-172.16.111.99"
>
> here rightsubnet should not be used because rightaddresspool is in use.
> The right (client) subnet is supposed to be the 1 IP address.
> It probably ignored rightsubnet= for you.
>
> > Server config with static client IP:
> > --------------------------------------------
> >
> > conn vpnserver.dl110-05.xyz.com
> > left=192.168.43.55
> > leftid="O=XYZ,CN=vpnserver.dl110-05.xyz.com"
> > leftsubnet=172.16.2.55/24
> > leftrsasigkey=%cert
> > leftcert=vpnserver.dl110-05.xyz.com
> > leftsendcert=always
> >
> > # Clients
> > right=%any
> > rightrsasigkey=%cert
> > rightid=%fromcert
> > rightca=%same
> > rightsubnet=0.0.0.0/0
>
> Now 0.0.0.0/0 lives on the client, not the server. So likely your server
> is losing internet connectivity. You would want to use rightsubnet=
> 172.16.111.10/32
>
> Paul
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230214/94442439/attachment-0001.htm>
More information about the Swan
mailing list