[Swan] Incorrect XFRM policy with dynamic client IPs

Brady Johnson bradyjoh at redhat.com
Tue Feb 14 19:17:43 EET 2023 

Paul,

I added your suggested config changes and still get the same xfrm policies
as before. Here are the config's:

All of this has been with version: "Linux Libreswan 4.5 (XFRM) on
4.18.0-372.40.1.el8_6.x86_64"

Server:
----------

conn vpnserver.dl110-05.xyz.com
    left=192.168.43.55
    leftid="O=XYZ,CN=vpnserver.dl110-05.xyz.com"
    leftsubnet=172.16.2.55/24
    leftrsasigkey=%cert
    leftcert=vpnserver.dl110-05.xyz.com
    leftsendcert=always
    leftsourceip=10.10.100.5
    leftmodecfgserver=yes
    narrowing=yes

    # Clients
    right=%any
    rightrsasigkey=%cert
    rightid=%fromcert
    rightca=%same
    rightaddresspool="172.16.111.10-172.16.111.99"
    ...

Client:
--------
conn vpnclient.dl110-00.xyz.com
    right=192.168.43.55
    rightid="O=XYZ,CN=vpnserver.dl110-05.xyz.com"
    rightsubnet=0.0.0.0/0
    rightrsasigkey=%cert

    left=172.16.1.10
    leftrsasigkey=%cert
    leftid="O=XYZ,CN=vpnclient.dl110-00.xyz.com"
    leftcert=vpnclient.dl110-00.xyz.com
    leftupdown="/bin/ipsec_tunnel_tool_updown.xfrm.sh"
    leftsubnet=0.0.0.0/0
    leftmodecfgclient=yes
    narrowing=yes

    mark=5/0xffffffff
    vti-interface=vti01
    vti-routing=yes
    vti-shared=no
    ...

Regards,

*Brady Johnson*
Principal Software Engineer
Telco Solutions & Enablement
brady.johnson at redhat.com



On Tue, Feb 14, 2023 at 4:58 PM Paul Wouters <paul at nohats.ca> wrote:

> On Tue, 14 Feb 2023, Brady Johnson wrote:
>
> > I tried your suggestion and I still get the same result. First I removed
> the "rightsubnet=0.0.0.0/0" from the server config, and then got "IKE_AUTH
> > response rejected Child SA with TS_UNACCEPTABLE" when starting the
> client, so I also removed "leftsubnet=0.0.0.0/0" from the client config,
> but the
> > client-side xfrm policies are the same as before.
> >
> > Here are the relevant configs:
> >
> > Server:
> > ---------
> >     ...
> >     # Clients
> >     right=%any
> >     rightrsasigkey=%cert
> >     rightid=%fromcert
> >     rightca=%same
> >     rightaddresspool="172.16.111.10-172.16.111.99"
> >     leftmodecfgserver=yes
> >     ...
>
> This requires narrowing=yes and leftsubnet=yoursubnet/mask
>
> > Client:
> > ---------
> >     ...
> >     left=172.16.1.10
> >     leftrsasigkey=%cert
> >     leftid="O=XYZ,CN=vpnclient.dl110-00.xyz.com"
> >     leftcert=vpnclient.dl110-00.xyz.com
> >     leftupdown="/bin/ipsec_tunnel_tool_updown.xfrm.sh"
> >     leftmodecfgclient=yes
> >     ...
>
> This requires narrowing=yes and leftsubnet=0.0.0.0/0 and rightsubnet=
> 0.0.0.0/0.
> That is, the client asks for "everything" and the server narrows it down
> to one IP/32 to 0/0.
>
> Paul
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230214/1f40d96c/attachment.htm>

More information about the Swan mailing list