[Swan] Possible to setup multiple connections, partly behind NAT?

Phil Nightowl phil.nightowl at gmail.com
Wed Feb 7 19:09:12 EET 2024 

Hello everyone,

        I am failing to configure multiple simultaneous connections with 
part of the clients behind NAT and part not (though not sure to what extent 
is *that* the main issue). Before elaborating thoroughly, can anyone please 
tell if the following setup is possible with libreswan at all?

* single server, multiple clients
* all connections host-to-host
* some clients behind NAT, some not
* ipsec must allow ssh connections passing without touching them for some 
  connections

Network setup:
--------------
server.privlan 192.168.1.253

host[1-x].privlan 192.168.1.[1-x]
remotehost[1-x].privlan 10.0.1.[1-x]
roadwarrior

where

- 192.168.1.0/24 is NATted by a separate gateway at 192.168.1.254 to its
(fixed) public 198.51.100.33 (and then routed by the ISP)

- 500/udp, 4500/udp and esp of 198.51.100.33 are forwarded to 192.168.1.253

- 10.0.1.[1-x] are NATted by a separate gateway to its (fixed) public
203.0.113.55

- roadwarrior dynamic as usual

host[1-x].privlan, remotehost[1-x].privlan and roadwarrior should be able to
connect to server.privlan simultaneously

Currently, server.privlan has libreswan 4.10, other hosts mostly 4.3.

I am using X.509 for authentication, which seems to work. The first part of 
the desired setup (connections within 192.168.1.0/24) do work as well.

Things do break as soon as I try to add more conns. I am not sure that I 
understand the log correctly, but pluto seems to switch between connections 
when I don't expect it to, or refuses a proposal due to wrong TS, and so on.

Is the desired setup possible with libreswan at all? If so, does anyone see 
what I am doing wrong? Feel free to ask for additional config files, 
debugging output, etc., as needed.

For the current working part config, please see below.

Many thanks in advance. Best regards,

Phil


===================================
Config on server.privlan:

conn privlan-ssh
     type=passthrough
     left=%defaultroute
     right=%group
     auto=ondemand
     authby=never

conn privlan
     left=%defaultroute
     right=%group
     auto=ondemand
     authby=rsasig
     ikev2=insist
     leftid=%fromcert
     rightid=%fromcert
     leftrsasigkey=%cert
     rightrsasigkey=%cert
     leftcert=server
     leftsendcert=always
     rightsendcert=always
     rightca=%same
     pfs=yes
     aggressive=no
     salifetime=1h
     negotiationshunt=hold
     failureshunt=drop

with policies/privlan having:
192.168.1.0/25

and policies/privlan-ssh:
192.168.1.0/24   tcp  0   22
192.168.1.0/24   tcp  22   0


Similarly, on the host[1-x].privlan I have:

conn privlan-ssh
     type=passthrough
     left=%defaultroute
     right=%group
     auto=ondemand
     authby=never

conn privlan
     left=%defaultroute
     right=%opportunisticgroup
     auto=ondemand
     ikev2=insist
     leftid=%fromcert
     rightid=%fromcert
     leftrsasigkey=%cert
     rightrsasigkey=%cert
     leftcert=host1
     leftsendcert=always
     rightsendcert=always
     rightca=%same
     pfs=yes
     aggressive=no
     salifetime=1h
     negotiationshunt=hold
     failureshunt=drop

with the following

policies/privlan:
192.168.1.253

and policies/privlan-ssh:
192.168.1.0/24   tcp  0   22
192.168.1.0/24   tcp  22   0

More information about the Swan mailing list