On 16/11/15 11:05, Tom Robinson wrote: > On 15/11/15 01:50, Tom Robinson wrote: >> On 14/11/15 22:58, Tuomo Soini wrote: >>> On Sat, 14 Nov 2015 21:56:54 +1100 >>> Tom Robinson <tom.robin...@motec.com.au> wrote: >>> >>> >>>> My apologies, I should have said earlier. We're running >>>> libreswan-3.9-1 on CentOS 5. >>> >>> That is all too old version. It doesn't have any support for this >>> config. Upgrade to 3.13 which is last version which will work on >>> centos-5. >>> >>> I'd advice you to upgrade to centos-7 where libreswan is standard. >>> >> Thanks Tuomo, >> >> I have to support this older system for a few months more. I'm already >> configuring a centos-7 replacement. I'll give 3.13 a try on centos-5 >> when I get a chance to compile it. >> > > I have compiled 3.13 and that is now working. Thanks for all the comments and > help. > > I still have an issue though as I'm unable to find a good reference for > firewalling/routing. > > Can anyone point me in the right direction please? > > The problem now is that after connection is established, the VPN client gets > assigned an address > from the addresspool= connection setting but it fails contact the internal > subnet. Does the > addresspool subnet range have to be a different subnet from the internal > subnet? How is routing handled? > > I have: > rightaddresspool=192.168.0.241-192.168.0.252 > > but my internal network is also 192.168.0.0/24 > > The above combination worked with IPSec/L2TP where xl2tpd assigned a pppd > interface with an address > from the 192.168.0.241-192.168.0.252 pool (xl2tpd.conf has 'ip range = > 192.168.0.241-192.168.0.252'). That worked fine as the ppp? interface would > come up and be found in > arp requests. With IKEv2, I'm seeing arp requests for an address that has no > interface. > > Is it firewalling, routing or the libreswan connection that needs adjusting > here?
I've done some testing with a different subnet in rightaddresspool and (with the correct firewall adjustments) that all appears to be working now. Kind regards, Tom -- Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3 9761 5050 F: +61 3 9761 5051 E: tom.robin...@motec.com.au
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan