[Swan] Problem routing multiple subnets
Paul Wouters
paul at nohats.ca
Tue Jun 6 03:16:07 EEST 2023
On Mon, 5 Jun 2023, Trevor Hemsley wrote:
> I have a test server set up to use ikev2 and I can successfully connect and get it to assign me an
> ip address etc if and only if I have one single subnet on my left/right config. I need to route 3
> of them and I can do any one of them but not more. I have tried various syntaxes from
> {left,right}subnets="172.x.x.x/24 10.x.x.x/24 10.y.x.x/24" either comma or space separated,
> changing the "" to {}, nesting "{}" and none of those work. When I restart the server end, the
> daemon starts up but the connection is not started and there are no errors anywhere that I have
> found that tell me why (checked /var/log/messages,secure} and journalctl -u ipsec). I am using
> libreswan-4.9-4.el9_2.x86_64 on a fully updated Rocky Linux 9.2 VM on both ends.
>
> I have also tried adding 3 separate conn subnet{1,2,3}'s just containing also=mainconn
> rightsubnet= and that starts up but won't let me connect.
>
> So this works with just one subnet on the left.
With libreswan 5.0, you will be able to do this. It should be released
very soon (1-2 weeks hopefully).
The current 4.x code "instantiates" the *subnets= connections into
subnet= connections, but with a dynamic clients getting an IP address
it won't work for all instantiations of the subnets= connection.
5.0 will support multiple traffic selectors in a single IPsec SA, and
then what you want works.
You can try "git main", it has to code already, but you need to use
rightsubnet="172.x.x.x/24 10.x.x.x/24 10.y.x.x/24"
Note the singular subnet= use with multiple subnets. For 5.0 final, this
will be behind a new option and subnet= and subnets= will get the same
meanings.
Paul
More information about the Swan
mailing list