[Swan] Problem routing multiple subnets
Trevor Hemsley
trevor.hemsley at ntlworld.com
Mon Jun 5 23:15:12 EEST 2023
Hi
I have a test server set up to use ikev2 and I can successfully connect
and get it to assign me an ip address etc if and only if I have one
single subnet on my left/right config. I need to route 3 of them and I
can do any one of them but not more. I have tried various syntaxes from
{left,right}subnets="172.x.x.x/24 10.x.x.x/24 10.y.x.x/24" either comma
or space separated, changing the "" to {}, nesting "{}" and none of
those work. When I restart the server end, the daemon starts up but the
connection is not started and there are no errors anywhere that I have
found that tell me why (checked /var/log/messages,secure} and journalctl
-u ipsec). I am using libreswan-4.9-4.el9_2.x86_64 on a fully updated
Rocky Linux 9.2 VM on both ends.
I have also tried adding 3 separate conn subnet{1,2,3}'s just containing
also=mainconn rightsubnet= and that starts up but won't let me connect.
So this works with just one subnet on the left.
conn mainconn
ikev2=insist
mobike=yes
fragmentation=yes
left=%defaultroute
leftsourceip=192.168.19.11
#leftsubnets={10.x.0.0/16 10.y.0.0/16 192.16.12.0/23}
leftsubnet=192.168.12.0/23
leftid=93.x.x.x
leftxauthserver=yes
leftmodecfgserver=yes
leftupdown=""
right=%any
rightaddresspool=192.168.19.128-192.168.19.192
modecfgdns="192.168.12.x, 192.168.12.y"
modecfgdomains="company.com"
rightxauthclient=yes
rightmodecfgclient=yes
authby=secret
auto=add
retransmit-timeout=1m
If I comment the leftsubnet and uncomment the leftsubnets line then the
conn silently fails to start. If I comment both leftsub* lines and add
the following prior to conn mainconn then the server side connection
starts automatically but the client side gets TS_UNACCEPTABLE
conn subnet1
also=mainconn
rightsubnet=192.168.12.0/23
conn subnet2
also=mainconn
rightsubnet=10.x.0.0/16
conn subnet3
also=mainconn
rightsubnet=10.y.0.0/16
Client side, also Rocky 9.2, looks like
conn subnet1
also=mainconn
rightsubnet=192.168.12.0/23
conn subnet2
also=mainconn
rightsubnet=10.x.0.0/16
conn subnet3
also=mainconn
rightsubnet=10.y.0.0/16
conn mainconn
ikev2=insist
mobike=yes
fragmentation=yes
left=%defaultroute
#rightsubnet=192.168.12.0/23
#rightsubnets={192.168.12.0/23,10.x.0.0/16,10.y.0.0/16}
leftid=82.x.x.x
leftmodecfgclient=yes
leftxauthclient=yes
leftusername=mytestuser
right=93.x.x.x
authby=secret
modecfgpull=yes
auto=add
181 "mainconn" #1: initiating IKEv2 connection
181 "mainconn" #1: sent IKE_SA_INIT request to 93.x.x.x:500
182 "mainconn" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256
integ=n/a prf=HMAC_SHA2_512 group=DH19}
003 "mainconn" #1: initiator established IKE SA; authenticated peer
using authby=secret and ID_IPV4_ADDR '93.x.x.x'
002 "mainconn" #2: received INTERNAL_IP4_ADDRESS x
002 "mainconn" #2: received INTERNAL_IP4_DNS x
002 "mainconn" #2: received INTERNAL_IP4_DNS x
005 "mainconn" #2: Received INTERNAL_DNS_DOMAIN: company.com
003 "mainconn" #2: CHILD SA failed: TS_UNACCEPTABLE
003 "mainconn" #1: IKE SA established but initiator rejected Child SA
response
002 "mainconn" #2: deleting larval Child SA using IKE SA #1
003 ERROR: "mainconn" #2: netlink response for Del SA
esp.d379a01c at 93.x.x.x: No such process (errno 3)
Server side I see this in /var/log/secure
Jun 5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #1: proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-ECP_256 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=ECP_256;DH=MODP2048;DH=CURVE25519;DH=ECP_384;DH=ECP_521;DH=MODP3072;DH=MODP4096;DH=MODP8192[first-match] 2:IKE:ENCR=CHACHA20_POLY1305;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=ECP_256;DH=MODP2048;DH=CURVE25519;DH=EC>
Jun 5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #1: sent IKE_SA_INIT reply {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}
Jun 5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #1: processing decrypted IKE_AUTH request: SK{IDi,AUTH,N(MOBIKE_SUPPORTED),CP,SA,TSi,TSr}
Jun 5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #1: responder established IKE SA; authenticated peer using authby=secret and ID_IPV4_ADDR '82.x.x.x'
Jun 5 19:38:42 rocky9 pluto[32013]: | pool 192.168.19.128-192.168.19.192: growing address pool from 0 to 1
Jun 5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #2: proposal 1:ESP=AES_GCM_C_256-ENABLED SPI=4318e7e4 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=ENABLED;ESN=DISABLED[first-match] 2:ESP:ENCR=CHACHA20_POLY1305;ESN=ENABLED;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA1_96;INTEG=HMAC_SHA2_256_128;ESN=ENABLED;ESN=DISABLED 4:ESP:ENCR=AES_GCM_C_128;ESN=ENABLED;ESN=DISA>
Jun 5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #2: responder established Child SA using #1; IPsec tunnel [192.168.12.0-192.168.13.255:0-65535 0] -> [192.168.19.128-192.168.19.128:0-65535 0] {ESPinUDP/ESN=>0x4318e7e4 <0xd379a01c xfrm=AES_GCM_16_256-NONE NATD=82.x.x.x:4500 DPD=passive}
Jun 5 19:38:42 rocky9 pluto[32013]: "subnet1"[1] 82.x.x.x #2: ESP traffic information: in=0B out=0B
What am I doing wrong and what do I need to change to make this work.
The goal is that on the client side, I get routes added for all 3
subnets on connect.
Thanks for any guidance
Trevor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230605/53ef0b7f/attachment.htm>
More information about the Swan
mailing list