[Swan] Possible to setup multiple connections, partly behind NAT?
Phil Nightowl
phil.nightowl at gmail.com
Wed Feb 7 19:09:12 EET 2024
Hello everyone,
I am failing to configure multiple simultaneous connections with
part of the clients behind NAT and part not (though not sure to what extent
is *that* the main issue). Before elaborating thoroughly, can anyone please
tell if the following setup is possible with libreswan at all?
* single server, multiple clients
* all connections host-to-host
* some clients behind NAT, some not
* ipsec must allow ssh connections passing without touching them for some
connections
Network setup:
--------------
server.privlan 192.168.1.253
host[1-x].privlan 192.168.1.[1-x]
remotehost[1-x].privlan 10.0.1.[1-x]
roadwarrior
where
- 192.168.1.0/24 is NATted by a separate gateway at 192.168.1.254 to its
(fixed) public 198.51.100.33 (and then routed by the ISP)
- 500/udp, 4500/udp and esp of 198.51.100.33 are forwarded to 192.168.1.253
- 10.0.1.[1-x] are NATted by a separate gateway to its (fixed) public
203.0.113.55
- roadwarrior dynamic as usual
host[1-x].privlan, remotehost[1-x].privlan and roadwarrior should be able to
connect to server.privlan simultaneously
Currently, server.privlan has libreswan 4.10, other hosts mostly 4.3.
I am using X.509 for authentication, which seems to work. The first part of
the desired setup (connections within 192.168.1.0/24) do work as well.
Things do break as soon as I try to add more conns. I am not sure that I
understand the log correctly, but pluto seems to switch between connections
when I don't expect it to, or refuses a proposal due to wrong TS, and so on.
Is the desired setup possible with libreswan at all? If so, does anyone see
what I am doing wrong? Feel free to ask for additional config files,
debugging output, etc., as needed.
For the current working part config, please see below.
Many thanks in advance. Best regards,
Phil
===================================
Config on server.privlan:
conn privlan-ssh
type=passthrough
left=%defaultroute
right=%group
auto=ondemand
authby=never
conn privlan
left=%defaultroute
right=%group
auto=ondemand
authby=rsasig
ikev2=insist
leftid=%fromcert
rightid=%fromcert
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=server
leftsendcert=always
rightsendcert=always
rightca=%same
pfs=yes
aggressive=no
salifetime=1h
negotiationshunt=hold
failureshunt=drop
with policies/privlan having:
192.168.1.0/25
and policies/privlan-ssh:
192.168.1.0/24 tcp 0 22
192.168.1.0/24 tcp 22 0
Similarly, on the host[1-x].privlan I have:
conn privlan-ssh
type=passthrough
left=%defaultroute
right=%group
auto=ondemand
authby=never
conn privlan
left=%defaultroute
right=%opportunisticgroup
auto=ondemand
ikev2=insist
leftid=%fromcert
rightid=%fromcert
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=host1
leftsendcert=always
rightsendcert=always
rightca=%same
pfs=yes
aggressive=no
salifetime=1h
negotiationshunt=hold
failureshunt=drop
with the following
policies/privlan:
192.168.1.253
and policies/privlan-ssh:
192.168.1.0/24 tcp 0 22
192.168.1.0/24 tcp 22 0
More information about the Swan
mailing list