[strongSwan] Configuration recommendations for multi-WAN roadwarrior setup

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Jan 3 19:26:15 CET 2020 

Hello M,

Disable route installation in strongSwan and manage them as you yourself see fit.
IPsec will work regardless.

Kind regards

Noel

Am 02.01.20 um 12:45 schrieb /M:
> Hi,
> 
> happy new year! Many thanks for the great project and the support.
> 
> I'm currently trying to find a good configuration for the following setup, but I was unsuccessful so far:
>  * strongswan gateway with 2 WAN interfaces on an Edgerouter POE:
>     * WAN1: IPv4 static private IP-address 192.168.240.2/24 behind a pfSense-Firewall (192.168.240.1) and dynamic IP allocation
>     * WAN2: public DSL uplink with static IP address
>     * LAN: 172.16.0.0/24
> 
> WAN1 is the primary (fast) internet uplink for the network, WAN2 is only used for static routes and manual fail-over.
> 
> To access WAN1 a client has to connect to a 802.11x-enabled WiFi and will receive an IP for 192.168.240.0/24.
> To access WAN2 a client can contact the static IP.
> 
> Goal for the VPN: the users should be able to access LAN from both WAN-ports.
> I was able to setup two simple configurations for both (see below), but I have to add a static route for the WAN2-roadwarriors to allow correct routing.
> 
> My question: are there any configuration combinations (route-based vpn, custom scripts, etc.) that allow the correct routing?
> Many thanks for your help and recommendations.
> 
> Cheers
> 
> /M
> 
> # ipsec version
> Linux strongSwan U5.6.3/K4.9.79-UBNT
> 
> 
> 
> ---------------------------
> ipsec.conf:
> config setup
>     uniqueids=no
>     strictcrlpolicy=yes
> 
> ca myca
>         cacert=/config/user-data/ipsec.d/cacerts/my_CA.crt
>     auto=add
> 
> conn vpn-base
>     keyexchange=ikev2
>     dpdaction=clear
>     dpddelay=60s
>     leftid="..."
>     leftsubnet=172.16.0.0/24
>     leftcert=/config/user-data/ipsec.d/certs/my.crt
>     leftsendcert=always
>     leftfirewall=yes
>     right=%any
>     rightsourceip=192.168.200.10-192.168.200.30
>     rightdns=172.16.0.1
>         rightauth=pubkey
> 
> 
> conn WAN1
>         also=vpn-base
>     left=192.168.240.2
>     auto=add
> 
> conn WAN2
>         also=vpn-base
>     left=XXX.XXX.142.228
>     auto=add
> ---------------------------
> 
> ---------------------------
> # ip xfrm policy
> src 172.16.0.0/24 dst 192.168.200.10/32
>     dir out priority 371327
>     tmpl src XXX.XXX.142.228 dst YYY.YYY.243.68
>         proto esp spi 0xc68d7927 reqid 1 mode tunnel
> src 192.168.200.10/32 dst 172.16.0.0/24
>     dir fwd priority 371327
>     tmpl src YYY.YYY.243.68 dst XXX.XXX.142.228
>         proto esp reqid 1 mode tunnel
> src 192.168.200.10/32 dst 172.16.0.0/24
>     dir in priority 371327
>     tmpl src YYY.YYY.243.68 dst XXX.XXX.142.228
>         proto esp reqid 1 mode tunnel
> ---------------------------
> 
> ---------------------------
> # ip route
> default via 192.168.240.2 dev eth1 proto zebra
> YYY.YYY.0.0/12 via XXX.XXX.142.228 dev pppoe0 proto zebra
> ---------------------------
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200103/8ca39c71/attachment.sig>

More information about the Users mailing list