On Thu, 2 Nov 2023, Sandeep Burugupally wrote:
2. IP2 comes in between or rather After IKEv2 is done on IP1, & IP2 is not
associated with any Linux Interface.
We need to have an SA for IP2 as an output of IKEV2 on IP1. After researching
literature we found that RFC does
support as CP payloads in IKE message exchanges .
Ref : https://datatracker.ietf.org/doc/html/rfc4306#page-56 (section : 2.19)
Kindly guide us in configuring the same in Libreswan .
As a client, this is a simple roadwarrior config, eg:
(assuming using a PSK for authentication)
conn example-name
left=%defaultroute
leftid=@ClientName
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
right=YourVPNServer
rightid=@vpn.example.com
narrowing=yes
auto=start
authby=secret
leftmodecfgclient=yes
As a server, this is also fairly straightforward:
conn example-server
# the VPN server IP
left=A.B.C.D
authby=secret
leftid=@vpn.example.com
rightid=@ClientName
right=%any
# hand out your hardcoded single IP
rightaddresspool=IP2/32
leftsubnet=0.0.0.0/0
modecfgpull=yes
narrowing=yes
See further: man ipsec.conf
Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
