[Swan] Problem routing multiple subnets

Trevor Hemsley trevor.hemsley at ntlworld.com
Mon Jun 5 23:15:12 EEST 2023 

Hi

I have a test server set up to use ikev2 and I can successfully connect 
and get it to assign me an ip address etc if and only if I have one 
single subnet on my left/right config. I need to route 3 of them and I 
can do any one of them but not more. I have tried various syntaxes from 
{left,right}subnets="172.x.x.x/24 10.x.x.x/24 10.y.x.x/24" either comma 
or space separated, changing the "" to {}, nesting "{}" and none of 
those work. When I restart the server end, the daemon starts up but the 
connection is not started and there are no errors anywhere that I have 
found that tell me why (checked /var/log/messages,secure} and journalctl 
-u ipsec). I am using libreswan-4.9-4.el9_2.x86_64 on a fully updated 
Rocky Linux 9.2 VM on both ends.

I have also tried adding 3 separate conn subnet{1,2,3}'s just containing 
also=mainconn rightsubnet= and that starts up but won't let me connect.

So this works with just one subnet on the left.

conn mainconn
     ikev2=insist
     mobike=yes
     fragmentation=yes
     left=%defaultroute
     leftsourceip=192.168.19.11
     #leftsubnets={10.x.0.0/16 10.y.0.0/16 192.16.12.0/23}
     leftsubnet=192.168.12.0/23
     leftid=93.x.x.x
     leftxauthserver=yes
     leftmodecfgserver=yes
     leftupdown=""
     right=%any
     rightaddresspool=192.168.19.128-192.168.19.192
     modecfgdns="192.168.12.x, 192.168.12.y"
     modecfgdomains="company.com"
     rightxauthclient=yes
     rightmodecfgclient=yes
     authby=secret
     auto=add
     retransmit-timeout=1m


If I comment the leftsubnet and uncomment the leftsubnets line then the 
conn silently fails to start. If I comment both leftsub* lines and add 
the following prior to conn mainconn then the server side connection 
starts automatically but the client side gets TS_UNACCEPTABLE

conn subnet1
     also=mainconn
     rightsubnet=192.168.12.0/23

conn subnet2
     also=mainconn
     rightsubnet=10.x.0.0/16

conn subnet3
     also=mainconn
     rightsubnet=10.y.0.0/16

Client side, also Rocky 9.2, looks like

conn subnet1
     also=mainconn
     rightsubnet=192.168.12.0/23

conn subnet2
     also=mainconn
     rightsubnet=10.x.0.0/16

conn subnet3
     also=mainconn
     rightsubnet=10.y.0.0/16

conn mainconn
     ikev2=insist
     mobike=yes
     fragmentation=yes
     left=%defaultroute
     #rightsubnet=192.168.12.0/23
     #rightsubnets={192.168.12.0/23,10.x.0.0/16,10.y.0.0/16}
     leftid=82.x.x.x
     leftmodecfgclient=yes
     leftxauthclient=yes
     leftusername=mytestuser
     right=93.x.x.x
     authby=secret
     modecfgpull=yes
     auto=add



181 "mainconn" #1: initiating IKEv2 connection
181 "mainconn" #1: sent IKE_SA_INIT request to 93.x.x.x:500
182 "mainconn" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 
integ=n/a prf=HMAC_SHA2_512 group=DH19}
003 "mainconn" #1: initiator established IKE SA; authenticated peer 
using authby=secret and ID_IPV4_ADDR '93.x.x.x'
002 "mainconn" #2: received INTERNAL_IP4_ADDRESS x
002 "mainconn" #2: received INTERNAL_IP4_DNS x
002 "mainconn" #2: received INTERNAL_IP4_DNS x
005 "mainconn" #2: Received INTERNAL_DNS_DOMAIN: company.com
003 "mainconn" #2: CHILD SA failed: TS_UNACCEPTABLE
003 "mainconn" #1: IKE SA established but initiator rejected Child SA 
response
002 "mainconn" #2: deleting larval Child SA using IKE SA #1
003 ERROR: "mainconn" #2: netlink response for Del SA 
esp.d379a01c at 93.x.x.x: No such process (errno 3)

Server side I see this in /var/log/secure

Jun  5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #1: proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=ECP_256;DH=MODP2048;DH=CURVE25519;DH=ECP_384;DH=ECP_521;DH=MODP3072;DH=MODP4096;DH=MODP8192[first-match] 2:IKE:ENCR=CHACHA20_POLY1305;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=ECP_256;DH=MODP2048;DH=CURVE25519;DH=EC>
Jun  5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #1: sent IKE_SA_INIT reply {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}
Jun  5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #1: processing decrypted IKE_AUTH request: SK{IDi,AUTH,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}
Jun  5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #1: responder established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '82.x.x.x'
Jun  5 19:38:42 rocky9 pluto[32013]: | pool 192.168.19.128-192.168.19.192: growing address pool from 0 to 1
Jun  5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #2: proposal 1:ESP=AES_GCM_C_256-ENABLED SPI=4318e7e4 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=ENABLED;ESN=DISABLED[first-match] 2:ESP:ENCR=CHACHA20_POLY1305;ESN=ENABLED;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA1_96;INTEG=HMAC_SHA2_256_128;ESN=ENABLED;ESN=DISABLED 4:ESP:ENCR=AES_GCM_C_128;ESN=ENABLED;ESN=DISA>
Jun  5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #2: responder established Child SA using #1; IPsec tunnel [192.168.12.0-192.168.13.255:0-65535 0] -> [192.168.19.128-192.168.19.128:0-65535 0] {ESPinUDP/ESN=>0x4318e7e4 <0xd379a01c xfrm=AES_GCM_16_256-NONE NATD=82.x.x.x:4500 DPD=passive}
Jun  5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #2: ESP traffic information: in=0B out=0B


What am I doing wrong and what do I need to change to make this work. 
The goal is that on the client side, I get routes added for all 3 
subnets on connect.

Thanks for any guidance

Trevor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230605/53ef0b7f/attachment.htm>

More information about the Swan mailing list