[Swan] Incorrect XFRM policy with dynamic client IPs
Paul Wouters
paul at nohats.ca
Tue Feb 14 17:58:34 EET 2023
On Tue, 14 Feb 2023, Brady Johnson wrote:
> I tried your suggestion and I still get the same result. First I removed the "rightsubnet=0.0.0.0/0" from the server config, and then got "IKE_AUTH
> response rejected Child SA with TS_UNACCEPTABLE" when starting the client, so I also removed "leftsubnet=0.0.0.0/0" from the client config, but the
> client-side xfrm policies are the same as before.
>
> Here are the relevant configs:
>
> Server:
> ---------
> ...
> # Clients
> right=%any
> rightrsasigkey=%cert
> rightid=%fromcert
> rightca=%same
> rightaddresspool="172.16.111.10-172.16.111.99"
> leftmodecfgserver=yes
> ...
This requires narrowing=yes and leftsubnet=yoursubnet/mask
> Client:
> ---------
> ...
> left=172.16.1.10
> leftrsasigkey=%cert
> leftid="O=XYZ,CN=vpnclient.dl110-00.xyz.com"
> leftcert=vpnclient.dl110-00.xyz.com
> leftupdown="/bin/ipsec_tunnel_tool_updown.xfrm.sh"
> leftmodecfgclient=yes
> ...
This requires narrowing=yes and leftsubnet=0.0.0.0/0 and rightsubnet=0.0.0.0/0.
That is, the client asks for "everything" and the server narrows it down
to one IP/32 to 0/0.
Paul
More information about the Swan
mailing list