<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Oct 28, 2017 at 5:15 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">On Wed, 25 Oct 2017, Nirvana wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
This is first time I have used Libreswan so if I misunderstand anything, please let me know. I am attempting to<br>
setup something similar to a roadwarriors configuration. It looks like this:<br>
<br>
<br>
mobile client <-----> NAT (dynamic IP) <-------- Internet --------> (static IP) NAT <---------> server <--------><br>
internal gateway <--------> internal networks<br>
<br>
My goal is to have the mobile client be able to communicate with the multiple internal networks by utilizing<br>
static routes. So far I have only been successful getting the client to be able to talk to one internal network at<br>
time. I haven't had any authentication issues.<br>
</blockquote>
<br>
</span><span class="gmail-"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Here is the configuration I have :<br>
<br>
Server:<br>
conn roadwarriors2<br>
ikev2=insist<br>
fragmentation=yes<br>
left=192.168.9.11<br>
leftsubnets={<a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">192.168.2.0/24</a> <a href="http://192.168.3.0/24" rel="noreferrer" target="_blank">192.168.3.0/24</a> <a href="http://192.168.9.0/24" rel="noreferrer" target="_blank">192.168.9.0/24</a>}<br>
leftcert=server<br>
leftid=external_static_ip #real IP removed<br>
leftxauthserver=yes<br>
leftmodecfgserver=yes<br>
right=%any<br>
rightca=%same<br>
rightaddresspool=192.168.9.12-<wbr>192.168.9.14<br>
</blockquote>
<br></span>
I am not sure if we support multiple subnets with addresspool. That<br>
requires that three connections are instantiated to the CP assigned<br>
IP on the client.<span class="gmail-"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I have been adding static routes on the client after the VPN is made (e.g. ip route add <a href="http://192.168.3.0/24" rel="noreferrer" target="_blank">192.168.3.0/24</a> dev vti9).<br>
It appears to be the case that whatever network is listed first under leftsubnets directive on the server is the<br>
only network the client can communicate with.<br>
</blockquote>
<br></span>
Yes, my guess is that you will only get one IPsec SA.<span class="gmail-"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Regarding the vti9 already exists entry: it appears that Libreswan doesn't remove the interface when exiting which<br>
is why I think it is "in use". I have been able to remove it manually using "ip link delete vti9".<br>
</blockquote>
<br></span>
It's a side-effect of us not fully supporting this scenario. You would<br>
have to put in vti-sharing=yes and it should stop showing errors.<span class="gmail-"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Does anyone have any suggestions? Am I utilizing Libreswan wrong and instead should be running L2TP over<br>
Libreswan? If you need more information, I will gladly provide it.<br>
</blockquote>
<br></span>
No don't do L2TP<br>
<br>
You could either try splitting your conn into 3, and setting up 3<br>
independent tunnels.<br>
<br>
Or you can set up one for <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> on the server, install firewall rules<br>
there to limit traffic to the three networks, and give the client a custom<br>
leftupdown= script that only routes those 3 subnets into the single VTI<br>
device.<span class="gmail-HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div><div class="gmail_extra">Thanks for the response! I am doing what you suggested (<a href="http://0.0.0.0/0">0.0.0.0/0</a> on server and adding routes for VTI interface) and it appears to be working. For instance I am able to add a functioning route using: ip r a <a href="http://192.168.2.0/24">192.168.2.0/24</a> dev vti9 scope link src 192.168.9.12<br><br>However if I try to add routes using an updown script I am having an issue where vti9 isn't up yet so I can't add the routes yet. Below is how I was able to test that.<br><br></div><div class="gmail_extra">In the client config I added: leftupdown=/etc/ipsec.updown<br></div><div class="gmail_extra">and created that executable shell script with the following contents:<br><br></div><div class="gmail_extra">ip a<br></div><div class="gmail_extra">exit 0<br><br></div><div class="gmail_extra">I then started libreswan and this is what I see in the logs:<br></div><div class="gmail_extra"><br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1<br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: inet <a href="http://127.0.0.1/8">127.0.0.1/8</a> scope host lo <br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: valid_lft forever preferred_lft forever <br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: inet6 ::1/128 scope host<br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: valid_lft forever preferred_lft forever <br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: 2: enp1s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000<br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: link/ether 80:fa:5b:25:13:95 brd ff:ff:ff:ff:ff:ff<br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: inet <a href="http://10.0.0.226/16">10.0.0.226/16</a> brd 10.0.255.255 scope global dynamic enp1s0f1<br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: valid_lft 560sec preferred_lft 560sec<br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: inet6 fe80::82fa:5bff:fe25:1395/64 scope link<br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: valid_lft forever preferred_lft forever <br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000<br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: link/ether 52:54:00:77:77:8d brd ff:ff:ff:ff:ff:ff<br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: inet <a href="http://192.168.122.1/24">192.168.122.1/24</a> brd 192.168.122.255 scope global virbr0<br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: valid_lft forever preferred_lft forever <br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN qlen 1000<br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: link/ether 52:54:00:77:77:8d brd ff:ff:ff:ff:ff:ff<br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: 5: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1<br>Oct 31 08:02:17 client pluto[3525]: "client": prepare-host output: link/ipip 0.0.0.0 brd 0.0.0.0 <br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1<br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: inet <a href="http://127.0.0.1/8">127.0.0.1/8</a> scope host lo <br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: valid_lft forever preferred_lft forever <br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: inet6 ::1/128 scope host<br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: valid_lft forever preferred_lft forever <br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: 2: enp1s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000<br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: link/ether 80:fa:5b:25:13:95 brd ff:ff:ff:ff:ff:ff<br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: inet <a href="http://10.0.0.226/16">10.0.0.226/16</a> brd 10.0.255.255 scope global dynamic enp1s0f1<br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: valid_lft 560sec preferred_lft 560sec<br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: inet6 fe80::82fa:5bff:fe25:1395/64 scope link<br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: valid_lft forever preferred_lft forever <br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000<br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: link/ether 52:54:00:77:77:8d brd ff:ff:ff:ff:ff:ff<br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: inet <a href="http://192.168.122.1/24">192.168.122.1/24</a> brd 192.168.122.255 scope global virbr0<br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: valid_lft forever preferred_lft forever <br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN qlen 1000<br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: link/ether 52:54:00:77:77:8d brd ff:ff:ff:ff:ff:ff<br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: 5: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1<br>Oct 31 08:02:17 client pluto[3525]: "client": route-host output: link/ipip 0.0.0.0 brd 0.0.0.0 <br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #1: initiating v2 parent SA<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #1: client IKE proposals for initial initiator (selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP1536 (default)<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #1: STATE_PARENT_I1: sent v2I1, expected v2R1<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #1: client ESP/AH proposals for initiator: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_512 group=MODP2048}<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: certificate O=${org},CN=${cn} OK<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: IKEv2 mode peer ID is ID_IPV4_ADDR: '${external_static_ip}'<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: received INTERNAL_IP4_ADDRESS 192.168.9.12<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: received INTERNAL_IP4_DNS 192.168.2.10 <br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: inet <a href="http://127.0.0.1/8">127.0.0.1/8</a> scope host lo<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: valid_lft forever preferred_lft forever<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: inet6 ::1/128 scope host<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: valid_lft forever preferred_lft forever <br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: 2: enp1s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: link/ether 80:fa:5b:25:13:95 brd ff:ff:ff:ff:ff:ff<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: inet <a href="http://10.0.0.226/16">10.0.0.226/16</a> brd 10.0.255.255 scope global dynamic enp1s0f1<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: valid_lft 559sec preferred_lft 559sec<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: inet6 fe80::82fa:5bff:fe25:1395/64 scope link<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: valid_lft forever preferred_lft forever <br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: 3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN qlen 1000<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: link/ether 52:54:00:77:77:8d brd ff:ff:ff:ff:ff:ff<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: inet <a href="http://192.168.122.1/24">192.168.122.1/24</a> brd 192.168.122.255 scope global virbr0<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: valid_lft forever preferred_lft forever<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: 4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN qlen 1000<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: link/ether 52:54:00:77:77:8d brd ff:ff:ff:ff:ff:ff<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: 5: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: up-client output: link/ipip 0.0.0.0 brd 0.0.0.0<br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: negotiated connection [192.168.9.12,192.168.9.12:0-65535 0] -> [0.0.0.0,255.255.255.255:0-65535 0] <br>Oct 31 08:02:17 client pluto[3525]: "client"[1] ${external_static_ip} #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0x86c04240 <0x493a7b96 xfrm=AES_GCM_C_256-NONE NATOA=none NATD=${external_static_ip}:4500 DPD=passive}<br><br></div><div class="gmail_extra">It looks like to me that during all three of these phases where the script could be called the vti interface doesn't exist yet and the ip hasn't been negotiated yet. The only solution that pops into mind is to have an at job add the routes later but that feels messy. Am I missing something? Thanks for the assistance.<br></div><div class="gmail_extra"><br></div></div>