[Swan] Possible to setup multiple connections, partly behind NAT?

Phil Nightowl phil.nightowl at gmail.com
Fri Feb 9 01:12:46 EET 2024 

> > > I would try 4.12.
> > 
> > Can you tell me that this is not strictly required to make it work? Of
> > course, I am going to upgrade at some point - but It will make my life much
> > easier if I don't have to do it on all hosts involved and right now.
> 
> No I can't without knowing a lot more and getting a lot more debug msgs,
> and tracking down where we solved bugs in older versions :)

	Got it. I will proceed with currently installed versions anyway - 
and keep in mind that some problems might arise as a result of this.

Along your advice, I changed the config files on host1.privlan (applicable 
to any host on my 192.168.1.x except server.privlan). SSH access is fixed, 
the config on host1.privlan does not use opportunistic encryption any longer 
and works fine. Adding

     leftsubnet=0.0.0.0/0
     rightsubnet=0.0.0.0/0

did help. Could you please explain why it did and how? The man page doesn't 
mention 0.0.0.0/0. On the other hand, it does say that "if 
[leftsubnet/rightsubnet is] omitted, essentially assumed to be left/32, 
signifying that the left end of the connection goes to the left participant 
only" - which is exactly my case. So I am quite confused here.

Now for server.privlan. To begin with the easier part (SSH), to switch away 
from opportunistic encryption I think I need

conn privlan-ssh
    type=passthrough
    left=%defaultroute
    auto=ondemand
    authby=never
    leftprotoport=tcp/22
    rightprotoport=tcp/%any

plus possibly(?)

    leftsubnet=0.0.0.0/0
    rightsubnet=0.0.0.0/0

However, I should add something instead of

    right=%any

since I probably don't want to allow SSH from all hosts to get through. That 
was actually my second reason to use opportunistic encryption. The man page 
says that left/right accepts IPs, FQDNs and magic values. So I assume I 
cannot use netmasks here. How can I (without opportunistic encryption) 
select only certain hosts to pass SSH through? That is probably only a 
specific form of a general question: how do I distinguish between different 
configs with identical left participant (server) without listing each 
individual right participant explicitly?

> Check your spam folder. Google enforced SPF/DKIM on all mail, as in they
> started refusing large amounts of emails. We did fix the libreswan lists
> to do this, so likely this is no longer happening to you.

For me, it seems that Google doesn't refuse the messages, but marks them as 
spam anyway. As a result, fetchmail doesn't get to see them and after 30 
days, they get deleted. A few messages make it (randomly) in the regular 
inbox anyway, but approx. 5-15 per month.

Many thanks!

Phil

More information about the Swan mailing list