[Swan] Possible to setup multiple connections, partly behind NAT?

Phil Nightowl phil.nightowl at gmail.com
Thu Feb 8 12:07:02 EET 2024 

> > Currently, server.privlan has libreswan 4.10, other hosts mostly 4.3.
> 
> I would try 4.12.

Can you tell me that this is not strictly required to make it work? Of 
course, I am going to upgrade at some point - but It will make my life much 
easier if I don't have to do it on all hosts involved and right now.

As a starting point,

> If you do want to do opportunistic encryption, that really does assume
> that there is no NAT to traverse and all nodes see each others real IP
> address.

this is what I have missed in the docs so far. I have been using 
opportunistic for 192.168.1.0/24 and it works (no NAT there). Primarily 
not because I really need opportunistic encryption here (no unknown 
hosts), but the way of configuring it (policies) seemed well arranged 
and flexible to me.

No problem switching away from opportunistic if that makes things work, 
but out of curiosity: is it OK to mix regular and opportunistic 
connections?

> I'm assuming you have roadwarriors (eg clients on dynamic IP that get an
> internal IP assigned?)

Yes, I do - but they have been using a separate solution and I can keep it 
that way for some time. They have the lowest priority right now.

So, here goes:

> > ===================================
> > Config on server.privlan:

did not touch (yet). See below. I began with changing host1.privlan's 
config to read

conn privlan-ssh
    type=passthrough
    left=%defaultroute
    right=%any
    auto=ondemand
    authby=never
    leftprotoport=tcp/%any
    rightprotoport=tcp/22

(flipped left/rightprotoport, since we're on the client here).

Unfortunately, after restarting I get:

host1 pluto[77105]: "privlan-ssh": added passthrough connection
...
host1 pluto[77105]: "privlan-ssh": cannot route template policy of AUTH_NEVER+PASS

... and SSH access is gone. An 'ip xfrm pol list' doesn't show any 
policies for SSH, only the generic ones. When attempting to use 'tcp/0' 
instead of 'tcp/%any', pluto segfaults:

host1 pluto[78546]: "privlan-ssh": added passthrough connection
...
host1 libipsecconf[78550]: connect(pluto_ctl) failed: Connection refused
host1 systemd[1]: ipsec.service: Main process exited, code=killed, status=11/SEGV
host1 systemd[1]: ipsec.service: Failed with result 'signal'.

Any suggestions? Of course, I would like to get SSH working before I 
start touching anything else.

Also, thanks for Cc:'ing me, please keep it that way. For some reason, 
recently I get only a small fraction of the messages sent from the list. 
Maybe I need to move away from Gmail, it might consider the messages as 
spam and not make them available via IMAP. Sorry to be offtopic.

Best regards,

Phil

More information about the Swan mailing list