[Swan] Requesting an Internal Address on a Remote Network (IRAC) on IPSEC
Sandeep Burugupally
Sandeep.Burugupally at radisys.com
Mon Nov 6 06:59:57 EET 2023
Hello Paul,
After changing the configurations as per previous mail we have seen that IP1 & IP2 are on same SA .
i.e, if IP2 ESP payload will have IP1 as outer header in ESP tunnel mode & sequence number is being shared between IP1 & IP2 accordingly .
Kindly note that our requirement is to get Different two Mutually exclusive SA for 2 different IP sets from one IKE negotiation.
IP0-IP1 (SA1) -- (Used for IKE negotiation)
IP0-IP2(SA2) --(should be one of out put of above IKE negotiation)
Below is our ipsec.conf files from server & client
Server :
#libreswan /etc/ipsec.conf configuration file
config setup
logfile=/var/log/pluto.log
protostack=netkey
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.247.0/24,%v4:!10.231.246.0/24
conn mytunnel
authby=rsasig
pfs=no
auto=add
rekey=no
left=192.168.200.27
leftcert="hostB.cert.com - rsys"
leftid=%none
leftsendcert=always
leftsubnet=0.0.0.0/0
rightaddresspool=192.168.56.40-192.168.56.71
right=%any
rightid=%fromcert
rightrsasigkey=%cert
#modecfgdns=193.110.157.123,8.8.8.8
# Versions up to 3.22 used modecfgdns1 and modecfgdns2
#modecfgdns1=193.110.157.123
#modecfgdns2=8.8.8.8
leftxauthserver=yes
rightxauthclient=yes
leftmodecfgserver=yes
rightmodecfgclient=yes
modecfgpull=yes
xauthby=alwaysok
fragmentation=yes
narrowing=yes
ikev2=insist
mobike=yes
# xauthby=pam
# xauthfail=soft
# Can be played with below
# dpddelay=30
# dpdtimeout=120
# dpdaction=clear
Client:
config setup
#protostack=netkey
logfile=/var/log/pluto.log
# exclude networks used on server side by adding %v4:!a.b.c.0/24
#virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:!10.231.24#7.0/24,%v4:!10.231.246.0/24
conn mytunnel
authby=rsasig
pfs=no
mobike=yes
ikev2=insist
narrowing=yes
auto=add
rekey=no
left=192.168.200.50
leftcert="hostA.cert.com - rsys"
leftid=%fromcert
#leftsendcert=always
#leftxauthusername=sandeep
rightsubnet=192.168.200.0/0
leftsubnet=192.168.200.0/0
right=192.168.200.27
rightid=%none
#rightxauthserver=yes
#leftxauthclient=yes
rightmodecfgserver=yes
leftmodecfgclient=yes
#modecfgpull=yes
xauthby=alwaysok
ike-frag=yes
# xauthby=pam
# xauthfail=soft
# Can be played with below
# dpddelay=30
# dpdtimeout=120
# dpdaction=clear
#
# Commonly needed to talk to Cisco server
# Might also need _exact_ ike= and esp= lines
remote-peer-type=cisco
aggrmode=no
Thanks & regards
B Sandeep
-----Original Message-----
From: Paul Wouters <paul at nohats.ca>
Sent: Thursday, November 2, 2023 7:07 PM
To: Sandeep Burugupally <Sandeep.Burugupally at radisys.com>
Cc: swan at lists.libreswan.org; Gopinath Reddy Sadhu <Gopinath.Sadhu at radisys.com>; Mayur Nakade <Mayur.Nakade at radisys.com>
Subject: Re: [Swan] Requesting an Internal Address on a Remote Network (IRAC) on IPSEC
The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin.
On Thu, 2 Nov 2023, Sandeep Burugupally wrote:
> 2. IP2 comes in between or rather After IKEv2 is done on IP1, & IP2 is not associated with any Linux Interface.
>
> We need to have an SA for IP2 as an output of IKEV2 on IP1. After
> researching literature we found that RFC does support as CP payloads in IKE message exchanges .
>
> Ref : https://datatracker.ietf.org/doc/html/rfc4306#page-56 (section
> : 2.19)
>
> Kindly guide us in configuring the same in Libreswan .
As a client, this is a simple roadwarrior config, eg:
(assuming using a PSK for authentication)
conn example-name
left=%defaultroute
leftid=@ClientName
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
right=YourVPNServer
rightid=@vpn.example.com
narrowing=yes
auto=start
authby=secret
leftmodecfgclient=yes
As a server, this is also fairly straightforward:
conn example-server
# the VPN server IP
left=A.B.C.D
authby=secret
leftid=@vpn.example.com
rightid=@ClientName
right=%any
# hand out your hardcoded single IP
rightaddresspool=IP2/32
leftsubnet=0.0.0.0/0
modecfgpull=yes
narrowing=yes
See further: man ipsec.conf
Paul
More information about the Swan
mailing list