[Swan] Requesting an Internal Address on a Remote Network (IRAC) on IPSEC

Sandeep Burugupally Sandeep.Burugupally at radisys.com
Mon Nov 6 06:59:57 EET 2023 

Hello Paul, 
After changing the configurations as per previous mail we have seen that IP1 & IP2 are on same SA .
i.e,  if IP2 ESP payload will have IP1 as outer header in ESP tunnel mode & sequence number is being shared between IP1 & IP2 accordingly .
Kindly note that our requirement  is to get   Different two Mutually exclusive SA  for 2 different IP sets from one IKE negotiation.
IP0-IP1 (SA1) -- (Used for IKE negotiation)
IP0-IP2(SA2) --(should be one of  out put of above IKE negotiation)

Below is our ipsec.conf files from server & client 


Server :
#libreswan /etc/ipsec.conf configuration file
config setup
  logfile=/var/log/pluto.log
  protostack=netkey
  # exclude networks used on server side by adding %v4:!a.b.c.0/24
  virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24

conn mytunnel
    authby=rsasig
    pfs=no
    auto=add
    rekey=no
    left=192.168.200.27
    leftcert="hostB.cert.com - rsys"
    leftid=%none
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    rightaddresspool=192.168.56.40-192.168.56.71
    right=%any
    rightid=%fromcert
    rightrsasigkey=%cert
    #modecfgdns=193.110.157.123,8.8.8.8
    # Versions up to 3.22 used modecfgdns1 and modecfgdns2
    #modecfgdns1=193.110.157.123
    #modecfgdns2=8.8.8.8
    leftxauthserver=yes
    rightxauthclient=yes
    leftmodecfgserver=yes
    rightmodecfgclient=yes
    modecfgpull=yes
    xauthby=alwaysok
    fragmentation=yes
    narrowing=yes
    ikev2=insist
    mobike=yes
    # xauthby=pam
    # xauthfail=soft
    # Can be played with below
    # dpddelay=30
    # dpdtimeout=120
    # dpdaction=clear


Client:
config setup
  #protostack=netkey
  logfile=/var/log/pluto.log
  # exclude networks used on server side by adding %v4:!a.b.c.0/24
  #virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.24#7.0/24,%v4:!10.231.246.0/24


conn mytunnel
    authby=rsasig
    pfs=no
    mobike=yes
    ikev2=insist
    narrowing=yes
    auto=add
    rekey=no
    left=192.168.200.50
    leftcert="hostA.cert.com - rsys"
    leftid=%fromcert
    #leftsendcert=always
    #leftxauthusername=sandeep
    rightsubnet=192.168.200.0/0
    leftsubnet=192.168.200.0/0
    right=192.168.200.27
    rightid=%none
    #rightxauthserver=yes
    #leftxauthclient=yes
    rightmodecfgserver=yes
    leftmodecfgclient=yes
    #modecfgpull=yes
    xauthby=alwaysok
    ike-frag=yes
    # xauthby=pam
    # xauthfail=soft
    # Can be played with below
    # dpddelay=30
    # dpdtimeout=120
    # dpdaction=clear
    #
    # Commonly needed to talk to Cisco server
    # Might also need _exact_ ike= and esp= lines
    remote-peer-type=cisco
    aggrmode=no

Thanks & regards 
B Sandeep

-----Original Message-----
From: Paul Wouters <paul at nohats.ca> 
Sent: Thursday, November 2, 2023 7:07 PM
To: Sandeep Burugupally <Sandeep.Burugupally at radisys.com>
Cc: swan at lists.libreswan.org; Gopinath Reddy Sadhu <Gopinath.Sadhu at radisys.com>; Mayur Nakade <Mayur.Nakade at radisys.com>
Subject: Re: [Swan] Requesting an Internal Address on a Remote Network (IRAC) on IPSEC

The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin.

On Thu, 2 Nov 2023, Sandeep Burugupally wrote:

> 2. IP2 comes in between or rather After IKEv2 is done on IP1, & IP2 is not associated with any Linux Interface.
>
> We need to have an SA for IP2 as an output of IKEV2 on IP1. After 
> researching literature we found that RFC does support as CP payloads in IKE message exchanges .
>
> Ref : https://datatracker.ietf.org/doc/html/rfc4306#page-56  (section 
> : 2.19)
>
> Kindly guide us in configuring the same in Libreswan .

As a client, this is a simple roadwarrior config, eg:
(assuming using a PSK for authentication)

conn example-name
        left=%defaultroute
        leftid=@ClientName
        leftsubnet=0.0.0.0/0
        rightsubnet=0.0.0.0/0
        right=YourVPNServer
        rightid=@vpn.example.com
        narrowing=yes
        auto=start
        authby=secret
        leftmodecfgclient=yes

As a server, this is also fairly straightforward:

conn example-server
        # the VPN server IP
        left=A.B.C.D
        authby=secret
        leftid=@vpn.example.com
        rightid=@ClientName
        right=%any
        # hand out your hardcoded single IP
        rightaddresspool=IP2/32
        leftsubnet=0.0.0.0/0
        modecfgpull=yes
        narrowing=yes

See further:  man ipsec.conf

Paul

More information about the Swan mailing list