Hello, I sent this message a week ago, but have had no response. If this is not the correct list to use, can someone at least advise where I should send it, please?
Regards, *Brady Johnson* [email protected] On Mon, Mar 21, 2022 at 4:25 PM Brady Johnson <[email protected]> wrote: > > Hello, > > I am trying to configure a VPN IPSec server and client using Libreswan > according to [0]. > > For the VPN server, I am using RHEL 8.5 with the following Libreswan > version: > > $ ipsec --version > Linux Libreswan 4.4 (netkey) on 4.18.0-348.12.2.el8_5.x86_64 > > > For the VPN client, I am using the following: > > Red Hat Enterprise Linux CoreOS release 4.8 > $ uname -r > 4.18.0-305.10.2.el8_4.x86_64 > $ ipsec --version > Linux Libreswan 4.4 (netkey) on 4.18.0-305.10.2.el8_4.x86_64 > > > Since CoreOS is immutable, I am using Libreswan via a > privileged network=host container. > > My specific question is related to how the left/rightsubnet works. I > understand the left/rightsubnet (and subnets) options are policies to > determine which layer 3 traffic will be sent through the IPSec tunnel. In > the [0] document, I see that it sets the subnet to 0, like this: > > leftsubnet=0.0.0.0/0 > > > What exactly does this mean? I may be mistaken, but I thought I read in > one of the documents that it means "all traffic". But, based on my testing, > it seems to mean "no traffic". So, if it does indeed mean all traffic, this > is not working for me. Could this be a bug, or is there something else that > needs to be configured to include all traffic in the tunnel? > > On a side-note, I tried a "Route-based VPN using VTI" configuration [1] > which isnt working either, but I can send a separate email about that. > > Here are the client/server configurations Im using: > > conn vpn_server_tunnel > left=10.10.3.8 > leftid=@vpn_server_fqdn > leftsubnet=0.0.0.0/0 > leftrsasigkey=%cert > leftcert=vpn_server_fqdn > leftsendcert=always > > # Clients > right=%any > rightrsasigkey=%cert > rightid=%fromcert > # Not using DHCP > rightca=%same > > # recommended dpd/liveness to cleanup vanished clients > dpddelay=30 > dpdtimeout=120 > dpdaction=clear > > auto=add > ikev2=insist > rekey=no > fragmentation=yes > ike=aes256-sha2 > esp=aes256-sha2_512-dh14 > authby=rsa-sha2_512 > ikelifetime=86400s > salifetime=3600s > > conn vpn_client_tunnel > left=10.10.3.8 > leftid=@vpn_server_fqdn > leftsubnet=0.0.0.0/0 > leftrsasigkey=%cert > leftmodecfgclient=yes > > right=10.10.3.5 > rightrsasigkey=%cert > rightid=%fromcert > rightsubnet=0.0.0.0/0 > rightcert=vpn_client_fqdn > > narrowing=yes > ikev2=insist > rekey=yes > fragmentation=yes > mobike=yes > auto=start > ike=aes256-sha2 > esp=aes256-sha2_512-dh14 > authby=rsa-sha2_512 > ikelifetime=86400s > salifetime=3600s > > > [0] https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2 > [1] > https://libreswan.org/wiki/Route-based_VPN_using_VTI#Creating_a_virtual_ethernet_connection > > Regards, > > *Brady Johnson* > Principal Software Engineer > [email protected] > >
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
