Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting up LibreSwan VPN router for remote clients #429

Open
ghost opened this issue Mar 9, 2020 · 0 comments
Open

Setting up LibreSwan VPN router for remote clients #429

ghost opened this issue Mar 9, 2020 · 0 comments

Comments

@ghost
Copy link

ghost commented Mar 9, 2020

Objective of the Libreswan server setup :

Dialup VPN server for remote clients .
Each remote client has preconfigured data path subnets for IPSEC traffic. The subnet is part of the Phase2 selector for traffic. We want to avoid pre-configuration of this subnet (shown below) on the server side since we’re trying to scale this against thousands of remotes and many vpn servers
ndividual VTI for each remote client subnet – this is preferred

Test Setup:

Question 1: Is there a way we can have only one "leftid" for the all the remote clients (strongswan)?

One conn block on the libreswan server configuration for all the remote clients.

conn ipsec01

    [email protected]

    rightsubnet=10.10.0.1/32

Question 2: Also when we set the "rightsubnet=0.0.0.0/0" (on the libreswan Server) the IPSec fail due to:
The first IPSec 01 connection is successful but the second IPSec 02 phase 2 fails and throws following error:

psec02"[1] 10.11.0.2 #10: cannot install eroute -- it is in use for "ipsec01"[7] 10.11.0.1 #11
Mar 9 15:55:33.178415: | delete inbound eroute 0.0.0.0/0:0 --0-> 0.0.0.0/0:0 => [email protected] (raw_eroute)

conn ipsec01

    [email protected]

    rightsubnet=10.10.0.1/32

Due to the above two limitation we have to define a conn: block on the libreswan server for every remote side client which we are trying to avoid.

Libreswan VPN Server for remote clients:

config setup

    protostack=netkey

    uniqueids=no

conn %default

    ike=aes256-sha1-modp2048

    esp=aes256-sha1-modp2048

    ikelifetime=24h

    lifetime=24h

    authby=secret

    left=10.11.251.252

    leftsubnet=0.0.0.0/0

    right=%any

    rightid=%any

    mobike=no

    replay-window=0

    nic-offload=auto

    type=tunnel

    auto=start

    vti-interface=vti-ipip

    vti-routing=yes

    vti-shared=yes

    mark=5/0xffffffff

    #overlapip=yes

conn ipsec01

    [email protected]

    rightsubnet=10.10.0.1/32

conn ipsec02

    [email protected]

    rightsubnet=10.10.0.2/32

Strongswan Remote Client Config:

config setup

    charondebug="ike 0, knl 0, cfg 0"

    uniqueids=no

conn %default

    ike=aes256-sha1-modp2048

    esp=aes256-sha1-modp2048

    keyexchange=ikev2

    ikelifetime=24h

    lifetime=24h

    leftauth=psk

    right=10.11.251.252

    rightsubnet=10.12.0.0/16

    rightauth=psk

    replay_window=0

    type=tunnel

    auto=start

conn ipsec01

    left=10.11.0.1

    [email protected]

    [email protected]

    leftsubnet=10.10.0.1/32

conn ipsec02

    left=10.11.0.2

    [email protected]

    [email protected]

    leftsubnet=10.10.0.2/32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants