Discussion:
[Swan] How to handle multiple networks on both ends?
Xinwei Hong
2017-01-20 00:49:22 UTC
Permalink
Hi,

Another question. If I have multiple networks on both side of the ipsec
tunnel, I assume we would need use leftsubnets/rightsubnets to specify
multiple networks. However, in my last email, we found that
leftsourceip/rightsourceip are required. Since we have multiple networks
now, what address should be used as the sourceip?

Also, with our current setting using racoon, we can add/remove subnets on
the fly once the tunnel is established. We just do some spdadd to tell the
tunnel new subnets. To do the same thing, do we have to make change to
ipsec.conf file and restart pluto daemon now? We want the existing
connections uninterrupted.

Thanks,
Xinwei
Paul Wouters
2017-01-20 04:48:05 UTC
Permalink
Post by Xinwei Hong
Another question. If I have multiple networks on both side of the ipsec
tunnel, I assume we would need use leftsubnets/rightsubnets to specify
multiple networks. However, in my last email, we found that
leftsourceip/rightsourceip are required. Since we have multiple networks
now, what address should be used as the sourceip?
If you need to access more remote subnets on the remote end from the
local server itself, you have two choices:

- Add host-subnet connections, like:

conn subnet1
left=a.b.c.d
right=.e.f.g.h
leftsubnet=X.0.0.0/8,Y.0.0.0/8
rightsubnet=W.0.0.0/8,Z.0.0.0/0
[...]

conn host-subnet1
left=a.b.c.d
right=.e.f.g.h
rightsubnet=W.0.0.0/8
[...]

conn host-subnet2
left=a.b.c.d
right=.e.f.g.h
rightsubnet=Z.0.0.0/8
[...]

This will result in 4 + 1 +1 tunnels. All the subnets to all the subnets
and the ipsec server to both subnets.

Since you now have tunnels where your public ip (nearest to the remote
subnet) is part of an IPsec tunnel, your connections will work without
needing sourceip=

The alternative is to split the subnetS conn into 4 different
subnet to subnet tunnels, and specifying the leftsourceip=
But that only makes sense if you have an IP from those local
subnets specified on the machine itself. Again, if you are just
routing those subnets locally to another machine, sourceip= is
not needed.
Post by Xinwei Hong
Also, with our current setting using racoon, we can add/remove subnets on
the fly once the tunnel is established. We just do some spdadd to tell the
tunnel new subnets. To do the same thing, do we have to make change to
ipsec.conf file and restart pluto daemon now? We want the existing
connections uninterrupted.
If you use separate conns, then you can simply run:

ipsec auto --add connXXX
ipsec auto --up connXXX
ipsec auto --down connXXX
ipsec auto --delete connXXX

to manually add/remove them. If you use the subnetS= contruct, then
you will see numbered conns appearing. For example:

conn test
left=a.b.c.d
right=.e.f.g.h
leftsubnet=X.0.0.0/8,Y.0.0.0/8
rightsubnet=W.0.0.0/8,Z.0.0.0/0
[...]

when this connections is added and brougt up using --add and --up,
you will see in "ipsec status"

conn test1x1
conn test1x2
conn test2x1
conn test2x2

You can treat those as regular conns, so you can do:

ipsec auto --delete test2x1

Note that if you use DPD, and the base connection gets restarted,
it will re-add this deleted conn again.

Paul
Xinwei Hong
2017-01-20 07:22:27 UTC
Permalink
Thank you very much. I understand the sourceip part now. Also, I understand
I can bring up/down connections using the method you mentioned.

Let's say my ipsec.conf has a conn test1 configured between two subnets.
The ipsec.conf is loaded by pluto and everything is working. After
sometime, we decide to add another subnet pair between the same endpoints.
I need add a new snippet for "conn test2" into ipsec.conf. If I do
"ip auto --add test2", will it actually work? Does pluto reload ipsec.conf
file? Does ip auto cause pluto to restart? Do the phase 1 tunnel and conn
test1 get re-established? We don't want to interrupt tunnel for conn test1.

Thanks,
Xinwei
Post by Xinwei Hong
Another question. If I have multiple networks on both side of the ipsec
Post by Xinwei Hong
tunnel, I assume we would need use leftsubnets/rightsubnets to specify
multiple networks. However, in my last email, we found that
leftsourceip/rightsourceip are required. Since we have multiple networks
now, what address should be used as the sourceip?
If you need to access more remote subnets on the remote end from the
conn subnet1
left=a.b.c.d
right=.e.f.g.h
leftsubnet=X.0.0.0/8,Y.0.0.0/8
rightsubnet=W.0.0.0/8,Z.0.0.0/0
[...]
conn host-subnet1
left=a.b.c.d
right=.e.f.g.h
rightsubnet=W.0.0.0/8
[...]
conn host-subnet2
left=a.b.c.d
right=.e.f.g.h
rightsubnet=Z.0.0.0/8
[...]
This will result in 4 + 1 +1 tunnels. All the subnets to all the subnets
and the ipsec server to both subnets.
Since you now have tunnels where your public ip (nearest to the remote
subnet) is part of an IPsec tunnel, your connections will work without
needing sourceip=
The alternative is to split the subnetS conn into 4 different
subnet to subnet tunnels, and specifying the leftsourceip=
But that only makes sense if you have an IP from those local
subnets specified on the machine itself. Again, if you are just
routing those subnets locally to another machine, sourceip= is
not needed.
Also, with our current setting using racoon, we can add/remove subnets on
Post by Xinwei Hong
the fly once the tunnel is established. We just do some spdadd to tell the
tunnel new subnets. To do the same thing, do we have to make change to
ipsec.conf file and restart pluto daemon now? We want the existing
connections uninterrupted.
ipsec auto --add connXXX
ipsec auto --up connXXX
ipsec auto --down connXXX
ipsec auto --delete connXXX
to manually add/remove them. If you use the subnetS= contruct, then
conn test
left=a.b.c.d
right=.e.f.g.h
leftsubnet=X.0.0.0/8,Y.0.0.0/8
rightsubnet=W.0.0.0/8,Z.0.0.0/0
[...]
when this connections is added and brougt up using --add and --up,
you will see in "ipsec status"
conn test1x1
conn test1x2
conn test2x1
conn test2x2
ipsec auto --delete test2x1
Note that if you use DPD, and the base connection gets restarted,
it will re-add this deleted conn again.
Paul
Xinwei Hong
2017-01-20 21:21:46 UTC
Permalink
I tried it. It looks like "ip auto --add test2" will reload config file and
pluto process does not restart.

Thanks,
Xinwei
Post by Xinwei Hong
Thank you very much. I understand the sourceip part now. Also, I
understand I can bring up/down connections using the method you mentioned.
Let's say my ipsec.conf has a conn test1 configured between two subnets.
The ipsec.conf is loaded by pluto and everything is working. After
sometime, we decide to add another subnet pair between the same endpoints.
I need add a new snippet for "conn test2" into ipsec.conf. If I do
"ip auto --add test2", will it actually work? Does pluto reload ipsec.conf
file? Does ip auto cause pluto to restart? Do the phase 1 tunnel and conn
test1 get re-established? We don't want to interrupt tunnel for conn test1.
Thanks,
Xinwei
Post by Xinwei Hong
Another question. If I have multiple networks on both side of the ipsec
Post by Xinwei Hong
tunnel, I assume we would need use leftsubnets/rightsubnets to specify
multiple networks. However, in my last email, we found that
leftsourceip/rightsourceip are required. Since we have multiple networks
now, what address should be used as the sourceip?
If you need to access more remote subnets on the remote end from the
conn subnet1
left=a.b.c.d
right=.e.f.g.h
leftsubnet=X.0.0.0/8,Y.0.0.0/8
rightsubnet=W.0.0.0/8,Z.0.0.0/0
[...]
conn host-subnet1
left=a.b.c.d
right=.e.f.g.h
rightsubnet=W.0.0.0/8
[...]
conn host-subnet2
left=a.b.c.d
right=.e.f.g.h
rightsubnet=Z.0.0.0/8
[...]
This will result in 4 + 1 +1 tunnels. All the subnets to all the subnets
and the ipsec server to both subnets.
Since you now have tunnels where your public ip (nearest to the remote
subnet) is part of an IPsec tunnel, your connections will work without
needing sourceip=
The alternative is to split the subnetS conn into 4 different
subnet to subnet tunnels, and specifying the leftsourceip=
But that only makes sense if you have an IP from those local
subnets specified on the machine itself. Again, if you are just
routing those subnets locally to another machine, sourceip= is
not needed.
Also, with our current setting using racoon, we can add/remove subnets on
Post by Xinwei Hong
the fly once the tunnel is established. We just do some spdadd to tell the
tunnel new subnets. To do the same thing, do we have to make change to
ipsec.conf file and restart pluto daemon now? We want the existing
connections uninterrupted.
ipsec auto --add connXXX
ipsec auto --up connXXX
ipsec auto --down connXXX
ipsec auto --delete connXXX
to manually add/remove them. If you use the subnetS= contruct, then
conn test
left=a.b.c.d
right=.e.f.g.h
leftsubnet=X.0.0.0/8,Y.0.0.0/8
rightsubnet=W.0.0.0/8,Z.0.0.0/0
[...]
when this connections is added and brougt up using --add and --up,
you will see in "ipsec status"
conn test1x1
conn test1x2
conn test2x1
conn test2x2
ipsec auto --delete test2x1
Note that if you use DPD, and the base connection gets restarted,
it will re-add this deleted conn again.
Paul
Xinwei Hong
2017-01-23 07:00:25 UTC
Permalink
Hi Paul,

One follow-up question. Assume we have conn1 and conn2 (or probably more
conn's), they both using same endpoints for tunnel, but will support
different subnet pairs. We want to bring up/down individual conn freely.
All conns should share the same phase 1 IKE tunnel. How do we guarantee
that?
I tried to put left/right/ike into
conn %default
left=a.b.c.d
right=e.f.g.h
ike=xxxxx
phase2alg=....

conn conn1
leftsubnet=x.x.x.x/24
rightsubnet=y.y.y.y/24

conn conn2
leftsubnet=v.v.v.v/24
rightsubnet=w.w.w.w/24

When I do "ip xfrm state", it returns 8 entries, similar to:

src 10.2.128.170 dst 10.2.128.171
proto esp spi 0x90c639bd reqid 16409 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x3438409b19952d08acf41b4c7d8fec1b845a5567 96
enc cbc(aes) 0x860183c7fb90aaa9c52c03eaf853c749
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

with diffenent spi.

with only conn1 or conn2, it return 4 entries.

Why does it have 8 entries? Does it mean multiple IKE tunnels were created?


Thanks,
Xinwei
Post by Xinwei Hong
I tried it. It looks like "ip auto --add test2" will reload config file
and pluto process does not restart.
Thanks,
Xinwei
Post by Xinwei Hong
Thank you very much. I understand the sourceip part now. Also, I
understand I can bring up/down connections using the method you mentioned.
Let's say my ipsec.conf has a conn test1 configured between two subnets.
The ipsec.conf is loaded by pluto and everything is working. After
sometime, we decide to add another subnet pair between the same endpoints.
I need add a new snippet for "conn test2" into ipsec.conf. If I do
"ip auto --add test2", will it actually work? Does pluto reload
ipsec.conf file? Does ip auto cause pluto to restart? Do the phase 1 tunnel
and conn test1 get re-established? We don't want to interrupt tunnel for
conn test1.
Thanks,
Xinwei
Post by Xinwei Hong
Another question. If I have multiple networks on both side of the ipsec
Post by Xinwei Hong
tunnel, I assume we would need use leftsubnets/rightsubnets to specify
multiple networks. However, in my last email, we found that
leftsourceip/rightsourceip are required. Since we have multiple networks
now, what address should be used as the sourceip?
If you need to access more remote subnets on the remote end from the
conn subnet1
left=a.b.c.d
right=.e.f.g.h
leftsubnet=X.0.0.0/8,Y.0.0.0/8
rightsubnet=W.0.0.0/8,Z.0.0.0/0
[...]
conn host-subnet1
left=a.b.c.d
right=.e.f.g.h
rightsubnet=W.0.0.0/8
[...]
conn host-subnet2
left=a.b.c.d
right=.e.f.g.h
rightsubnet=Z.0.0.0/8
[...]
This will result in 4 + 1 +1 tunnels. All the subnets to all the subnets
and the ipsec server to both subnets.
Since you now have tunnels where your public ip (nearest to the remote
subnet) is part of an IPsec tunnel, your connections will work without
needing sourceip=
The alternative is to split the subnetS conn into 4 different
subnet to subnet tunnels, and specifying the leftsourceip=
But that only makes sense if you have an IP from those local
subnets specified on the machine itself. Again, if you are just
routing those subnets locally to another machine, sourceip= is
not needed.
Also, with our current setting using racoon, we can add/remove subnets on
Post by Xinwei Hong
the fly once the tunnel is established. We just do some spdadd to tell the
tunnel new subnets. To do the same thing, do we have to make change to
ipsec.conf file and restart pluto daemon now? We want the existing
connections uninterrupted.
ipsec auto --add connXXX
ipsec auto --up connXXX
ipsec auto --down connXXX
ipsec auto --delete connXXX
to manually add/remove them. If you use the subnetS= contruct, then
conn test
left=a.b.c.d
right=.e.f.g.h
leftsubnet=X.0.0.0/8,Y.0.0.0/8
rightsubnet=W.0.0.0/8,Z.0.0.0/0
[...]
when this connections is added and brougt up using --add and --up,
you will see in "ipsec status"
conn test1x1
conn test1x2
conn test2x1
conn test2x2
ipsec auto --delete test2x1
Note that if you use DPD, and the base connection gets restarted,
it will re-add this deleted conn again.
Paul
Paul Wouters
2017-01-30 02:30:07 UTC
Permalink
One follow-up question. Assume we have conn1 and conn2 (or probably more conn's), they both using
same endpoints for tunnel, but will support different subnet pairs. We want to bring up/down
individual conn freely. All conns should share the same phase 1 IKE tunnel. How do we guarantee
that? 
Just writing the conns out works and you can individually bring these up
and down and libreswan will know when it can re-use the same IKE SA. If
you are using the plural forms of left/rightsubnets= then the connection
is instantiated, for example:

conn example
left=a.b.c.d
right=e.f.g.h
leftsubnets=10.0.1.0/24,10.0.2.0/24
rightsubnets=192.168.1.0/24,192.168.2.0/24

Then you will get conns with the names "example0x0", "example1x0",
"example1x1" and "example0x1"

You can control those 4 conns just as if you had written those names in
a config file.

Paul

Loading...