I don't know how to set up what you want but here are a few clarifications:
1 - left and right can be either end! Perhaps a better terminology for
you to understand is "end1" and "end2". libreswan will work out which is
the local and which is the remote end from things like the leftip.
Typically people use left as local and right as remote but there is no
need to and each end of the tunnel does not have to agree so each end
could have left as its own machine. In some cases you can have a conn
defined exactly the same at both ends in which case if end1 will be
either left in both conns or right in both conns. It really does not matter.
2 - when you see an example of leftsourceip, it is only valid if left is
the local end. If right is the local end, use rightsourceip.
left/rightsourceip can be specified for the remote end but it has no
meaning.
3 - 192.168.1.0/24 and 192.168.0.0/24 are rubbish subnets for your LAN
if you have roadwarriors connecting in. Too many domestic routers use
those subnets as default and it is quite important to have different LAN
subnets at either end of the tunnel or you'll have real difficulty
getting traffic to pass through the tunnel.
Nick
On 11/01/2018 22:00, Colony.three wrote:
First, I am trying to figure out how to set up the right peer. I
have the left working now, and the right is a phone running the
Strongswan app. This works fine, but I find conflicting into on how
to set up the right when on a laptop or other machine.
The system is a LAN with a number of KVM virtual machines. One of
these VMs is the router, with WAN access. Another VM is the IPSec
gateway running Libreswan -- ports 500 and 4500 are DNATted through
the router, to the IPsec gateway VM. This works fine with a remote
Android phone and the Ss app.
But there will also be remote laptops. And a remote mail server.
And all their IPs are changeable.
My goal is to have all machines commoned together on the VPN. (they
are all trusted) The LAN class C is 192.168.1.0/24 and it would be
ideal to assign remote machines a -known- IP in this range. This way
I'll know where everyone is. If this is not possible then I'd like
to have a VPN-internal range such as 10.1.1.0/24, but again to have
each peer be assigned a -known- IP, so I know where each is.
All connexions must be mutual, IOW peer A can scp files from peer B,
and peer B can scp files from peer A.
To set up a commoned system like this I suspect I'd need to set up
individual segments between each peer and the gateway, in a
hub-and-spoke. Maybe I'd need a connexion one way, and a second one
the other way?
All will be IKEv2, and cert auth.
I haven't been able to make myself understood on IRC as that's just
snippets, so maybe someone here can advise.
- How does the ipsec.conf differ between left and right? I read some
examples where they are identical, and some where their roles are
reversed. When system A is the LAN gateway and system B is a remote
laptop, in systemA's ipsec.conf it is the left and B is the right.
But on system B's ipsec.conf is it the left and system A the right?
If so, what other ipsec.conf differences are there? I can't find
anything in the docs even showing a right ipsec.conf.
- Is it possible to assign a -known- IP to peers? I find in the man
there is a leftsourceip= but this seems to apply in only one
direction, from left to right. Is this the case? Or is there another
way to assign known IPs to peers? And is there a way to record them
in a hosts file in some way.
Hopefully I've explained this well enough to show that the goal is a
super-LAN, extended beyond the core LAN with IPSec.
Well my best idea doesn't work: https://paste.ee/p/SVNFf
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
