[Swan] Possible to setup multiple connections, partly behind NAT?

Thu Feb 8 16:31:46 EET 2024

On Thu, 8 Feb 2024, Phil Nightowl wrote:

>> I would try 4.12.
>
> Can you tell me that this is not strictly required to make it work? Of
> course, I am going to upgrade at some point - but It will make my life much
> easier if I don't have to do it on all hosts involved and right now.

No I can't without knowing a lot more and getting a lot more debug msgs,
and tracking down where we solved bugs in older versions :)

> As a starting point,
>
>> If you do want to do opportunistic encryption, that really does assume
>> that there is no NAT to traverse and all nodes see each others real IP
>> address.
>
> this is what I have missed in the docs so far. I have been using
> opportunistic for 192.168.1.0/24 and it works (no NAT there). Primarily
> not because I really need opportunistic encryption here (no unknown
> hosts), but the way of configuring it (policies) seemed well arranged
> and flexible to me.

We should make that more clear, sorry. Yes it is a nice way to do
"cloud encryption".

> No problem switching away from opportunistic if that makes things work,
> but out of curiosity: is it OK to mix regular and opportunistic
> connections?

Yes. regular connections should always "win" from opportunistic ones.

>> I'm assuming you have roadwarriors (eg clients on dynamic IP that get an
>> internal IP assigned?)
>
> Yes, I do - but they have been using a separate solution and I can keep it
> that way for some time. They have the lowest priority right now.
>
> So, here goes:
>
>>> ===================================
>>> Config on server.privlan:
>
> did not touch (yet). See below. I began with changing host1.privlan's
> config to read
>
> conn privlan-ssh
>    type=passthrough
>    left=%defaultroute
>    right=%any
>    auto=ondemand
>    authby=never
>    leftprotoport=tcp/%any
>    rightprotoport=tcp/22
>
> (flipped left/rightprotoport, since we're on the client here).
>
> Unfortunately, after restarting I get:
>
> host1 pluto[77105]: "privlan-ssh": added passthrough connection
> ...
> host1 pluto[77105]: "privlan-ssh": cannot route template policy of AUTH_NEVER+PASS

Sorry, try this:

conn privlan-ssh
     type=passthrough
     left=%defaultroute
     right=%any
     auto=ondemand
     authby=never
     leftsubnet=0.0.0.0/0
     rightsubnet=0.0.0.0/0
     leftprotoport=tcp/%any
     rightprotoport=tcp/22

eg add the subnets.

> Also, thanks for Cc:'ing me, please keep it that way. For some reason,
> recently I get only a small fraction of the messages sent from the list.

Check your spam folder. Google enforced SPF/DKIM on all mail, as in they
started refusing large amounts of emails. We did fix the libreswan lists
to do this, so likely this is no longer happening to you.

Paul