<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Bob,<br>
<br>
As soon as you mention transport mode I am lost as I've never used
it or got my mind round it so I don't understand it. Ditto
passthrough conns, so you could be way ahead of me. If I were doing
it, I'd use tunnel mode.<br>
<br>
I've done something slightly similar from an OpenVPN roadwarrior
connecting to my server then onto a remote IPsec LAN on a Draytek
router. The Draytek additional LAN solution I think, is proprietary
and I could not get it to interoperate with Libreswan. I got round
the issue by configuring OpenVPN to use the 172.12.3.0/24 subnet on
the server with a server LAN subnet of 172.17.2.0/24. I then set up
a tunnel in Libreswan to the Draytek for the 172.17.2.0/23 subnet
(which, to save you doing the subnet calculation, encompasses the
172.17.2.0/14 and 172.17.3.0/24 subnets). This got round the need to
set up two tunnels but it should also work with two tunnels (or two
subnets tunnelled) if you can get them to work between the Sonicwall
and Libreswan. OpenVPN was configured to push routes for both the
server LAN subnet and remote LAN subnet.<br>
<br>
Regards,<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 11/06/2015 04:18, Bob Miller wrote:<br>
</div>
<blockquote cite="mid:5578FE01.3000408@computerisms.ca" type="cite">
<br>
Hi Nick,
<br>
<br>
thanks for your reply, and I apologize for my tardy response.
<br>
<br>
<blockquote type="cite">Do you have a tunnel from your roadwarrior
to Libreswan for the subnet
<br>
192.168.0.0/24? I don't know the Windows client (or any ikev2
details
<br>
therefore my knowledge is entirely theoretical)so I don't know
if you
<br>
can use left/rightsubnets in Libreswan or if you have to define
two
<br>
different tunnels.
<br>
<br>
Similarly you will need a tunnel with subnets from 10.25.0.0/24
and
<br>
192.168.25.0/24. When negotiating these tunnels with the
Sonicwall, do
<br>
you see both coming up? Again, if the Sonicwall can't cope you
may also
<br>
need to define two separate tunnels from Libreswan.
<br>
</blockquote>
<br>
hm. I think I see where you are going with this... the answer is
that I have attempted to make such a tunnel with a passthrough
conn, but I do not have a 3rd dedicated tunnel from roadwarrior to
sonicwall. If I did have a dedicated tunnel like that, would
libreswan not then connect to that tunnel and make the LAN and
internet inaccessible? What I have (non-network details trimmed):
<br>
<br>
conn lan2sonic
<br>
left=199.247.233.69
<br>
leftsubnet=192.168.25.0/24
<br>
leftnexthop=%defaultroute
<br>
right=184.69.103.190
<br>
rightsubnet=192.168.0.0/24
<br>
rightnexthop=%defaultroute
<br>
<br>
conn rw-ikev2
<br>
left=199.247.233.69
<br>
leftsubnet=0.0.0.0/0
<br>
right=%any
<br>
rightaddresspool=10.25.0.2-10.25.0.20
<br>
<br>
A note regarding leftsubnet=0.0.0.0/0: this being my first attempt
at ikev2, I found that the way I did it with l2tp (setting left
subnet to be that of LAN and setting up iptables for forwarding)
was insufficient. I forget what details I tripped on that clued
me into trying 0.0.0.0/0, but when I did, internet works for
roadwarriors without split tunnelling. If I just set
leftsubnet=192.168.25.0/24, I get connection to the LAN, but no
internet.
<br>
<br>
That said, I had no better success on a l2tp setup, but I was
admittedly less aggressive in my attempts to get that one working.
<br>
<br>
I tried a lot of variations, but one example of my attempt with a
passthrough conn:
<br>
<br>
conn rw-pass-vic
<br>
left=%any
<br>
leftsubnet=10.25.0.0/24
<br>
right=184.69.103.190
<br>
rightsubnet=192.168.0.0/24
<br>
<br>
I tried in conn lan2sonic using
<br>
<br>
leftsubnets=192.168.25.0/24, 10.25.0.0/24
<br>
<br>
I also tried in conn rw-ikev2 using
<br>
<br>
leftsubnets=0.0.0.0/0, 192.168.0.0/24
<br>
<br>
Given that the leftsubnet on the ikev2 connection is 0.0.0.0/0,
and the packets find their way to the 192.168.25.0/24 network, I
kind of think that packets for 192.168.0.0/24 should similarly
find their way on to the tunnel destined for the sonicwall, but
tcpdump shows they head out to the internet. Since my
expectations were not met, I have just been trying stuff, hoping
to make the light bulb go on. maybe I have had my conns right, but
some other variable wrong. This is why I am hoping to gain a
better understanding of what is supposed to happen, maybe then I
can figure out how to get there...
<br>
<br>
<blockquote type="cite"> From a different angle, what is your
roadwarrior's local LAN subnet
<br>
when performing these tests? If is 192.168.0.0/24 then you have
a big
<br>
issue as both the local and (very) remote subnets are the same.
<br>
</blockquote>
<br>
My roadwarrior is across the internet in a subnet 192.168.26.0/24,
so should be no conflict there...
<br>
<br>
Thanks again for your response, Nick, really appreciate it...
<br>
<br>
<blockquote type="cite">
<br>
Regards,
<br>
<br>
Nick
<br>
<br>
On 2015-06-07 01:23, Bob Miller wrote:
<br>
<blockquote type="cite">Hi,
<br>
<br>
I am not sure if I am being dense and not seeing what is
there, or if
<br>
what I am looking for really isn't there.
<br>
<br>
I have a firewall running libreswan that has an ipsec/psk
net2net
<br>
tunnel configured between it and a sonicwall device. This
firewall
<br>
also has multiple road warriors connecting to the local
network behind
<br>
it. Remote windows machines are configured with ikev2.
<br>
<br>
the gist:
<br>
192.168.0.0/24(sonicwall)<=>ETH0:libreswan:ETH1<=>192.168.25.0(LAN)
<br>
10.25.0.0/24(roadwarriors)<=^ ^=>Internet
<br>
<br>
each segment works fine;
<br>
remotelan<=>LAN, RW<=>LAN, Internet<=>LAN
works great
<br>
RW<=>LAN, RW<=>Internet works great.
<br>
remotelan<=>internet doesn't work, which is great.
<br>
<br>
Now I want the roadwarriors to access the remote lan, but I
can't seem
<br>
to figure it out.
<br>
<br>
It happens I have another identical situation, with the
singular
<br>
difference that the road warriors are connecting via l2tp. I
have
<br>
tried to get the same thing working on that one in the hopes
that
<br>
something about l2tp would magically work and grant me
understanding.
<br>
<br>
I have been at it for a while now, it would be tough to list
all I
<br>
have done, but generally I started at iptables, thinking it
would be a
<br>
simple forwarding thing. I made sure I wasn't nat'ing my
traffic,
<br>
forward rules are in place, etc. maybe there is a problem
there, but
<br>
I don't see it if there is.
<br>
<br>
Next I played with left/rightsubnets (as opposed to singular
subnet)
<br>
as per what I found in the ipsec.conf man page. I think I
tried every
<br>
combination at least twice, but nothing changed there.
<br>
<br>
I looked through more of the docs. I found passthrough conns,
which
<br>
seem like what I might want, but the only examples I can find
are for
<br>
extruded subnets, where one side is a smaller subset of a
larger
<br>
subnet on the other side. regardless, tried a bunch of ways
to make
<br>
that work but no success. I also looked through the multi-net
<br>
examples, but those seem related to klips, and I think I need
to find
<br>
and study the context of those examples to get value from
them...
<br>
<br>
On google, I found a limited number of posts that discuss the
topic.
<br>
In the posts that seemed relevant, I could follow the
discussion, but
<br>
in no cases could I translate the examples to a working config
on this
<br>
firewall.
<br>
<br>
I am not afraid to read and try and figure it out on my own,
but I
<br>
don't think I am reading the right stuff. or if I am I
haven't
<br>
recognized it yet. could someone kindly point me at the
definitive
<br>
thing I need to read and understand to achieve my goal?
<br>
</blockquote>
</blockquote>
_______________________________________________
<br>
Swan mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
<br>
</blockquote>
<br>
</body>
</html>