[Swan] Requesting an Internal Address on a Remote Network (IRAC) on IPSEC
Paul Wouters
paul at nohats.ca
Thu Nov 2 15:37:04 EET 2023
On Thu, 2 Nov 2023, Sandeep Burugupally wrote:
> 2. IP2 comes in between or rather After IKEv2 is done on IP1, & IP2 is not associated with any Linux Interface.
>
> We need to have an SA for IP2 as an output of IKEV2 on IP1. After researching literature we found that RFC does
> support as CP payloads in IKE message exchanges .
>
> Ref : https://datatracker.ietf.org/doc/html/rfc4306#page-56 (section : 2.19)
>
> Kindly guide us in configuring the same in Libreswan .
As a client, this is a simple roadwarrior config, eg:
(assuming using a PSK for authentication)
conn example-name
left=%defaultroute
leftid=@ClientName
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
right=YourVPNServer
rightid=@vpn.example.com
narrowing=yes
auto=start
authby=secret
leftmodecfgclient=yes
As a server, this is also fairly straightforward:
conn example-server
# the VPN server IP
left=A.B.C.D
authby=secret
leftid=@vpn.example.com
rightid=@ClientName
right=%any
# hand out your hardcoded single IP
rightaddresspool=IP2/32
leftsubnet=0.0.0.0/0
modecfgpull=yes
narrowing=yes
See further: man ipsec.conf
Paul
More information about the Swan
mailing list