[Swan] Incorrect XFRM policy with dynamic client IPs
Brady Johnson
bradyjoh at redhat.com
Tue Feb 14 19:17:43 EET 2023
Paul,
I added your suggested config changes and still get the same xfrm policies
as before. Here are the config's:
All of this has been with version: "Linux Libreswan 4.5 (XFRM) on
4.18.0-372.40.1.el8_6.x86_64"
Server:
----------
conn vpnserver.dl110-05.xyz.com
left=192.168.43.55
leftid="O=XYZ,CN=vpnserver.dl110-05.xyz.com"
leftsubnet=172.16.2.55/24
leftrsasigkey=%cert
leftcert=vpnserver.dl110-05.xyz.com
leftsendcert=always
leftsourceip=10.10.100.5
leftmodecfgserver=yes
narrowing=yes
# Clients
right=%any
rightrsasigkey=%cert
rightid=%fromcert
rightca=%same
rightaddresspool="172.16.111.10-172.16.111.99"
...
Client:
--------
conn vpnclient.dl110-00.xyz.com
right=192.168.43.55
rightid="O=XYZ,CN=vpnserver.dl110-05.xyz.com"
rightsubnet=0.0.0.0/0
rightrsasigkey=%cert
left=172.16.1.10
leftrsasigkey=%cert
leftid="O=XYZ,CN=vpnclient.dl110-00.xyz.com"
leftcert=vpnclient.dl110-00.xyz.com
leftupdown="/bin/ipsec_tunnel_tool_updown.xfrm.sh"
leftsubnet=0.0.0.0/0
leftmodecfgclient=yes
narrowing=yes
mark=5/0xffffffff
vti-interface=vti01
vti-routing=yes
vti-shared=no
...
Regards,
*Brady Johnson*
Principal Software Engineer
Telco Solutions & Enablement
brady.johnson at redhat.com
On Tue, Feb 14, 2023 at 4:58 PM Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 14 Feb 2023, Brady Johnson wrote:
>
> > I tried your suggestion and I still get the same result. First I removed
> the "rightsubnet=0.0.0.0/0" from the server config, and then got "IKE_AUTH
> > response rejected Child SA with TS_UNACCEPTABLE" when starting the
> client, so I also removed "leftsubnet=0.0.0.0/0" from the client config,
> but the
> > client-side xfrm policies are the same as before.
> >
> > Here are the relevant configs:
> >
> > Server:
> > ---------
> > ...
> > # Clients
> > right=%any
> > rightrsasigkey=%cert
> > rightid=%fromcert
> > rightca=%same
> > rightaddresspool="172.16.111.10-172.16.111.99"
> > leftmodecfgserver=yes
> > ...
>
> This requires narrowing=yes and leftsubnet=yoursubnet/mask
>
> > Client:
> > ---------
> > ...
> > left=172.16.1.10
> > leftrsasigkey=%cert
> > leftid="O=XYZ,CN=vpnclient.dl110-00.xyz.com"
> > leftcert=vpnclient.dl110-00.xyz.com
> > leftupdown="/bin/ipsec_tunnel_tool_updown.xfrm.sh"
> > leftmodecfgclient=yes
> > ...
>
> This requires narrowing=yes and leftsubnet=0.0.0.0/0 and rightsubnet=
> 0.0.0.0/0.
> That is, the client asks for "everything" and the server narrows it down
> to one IP/32 to 0/0.
>
> Paul
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230214/1f40d96c/attachment.htm>
More information about the Swan
mailing list