<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} .ms-cui-menu {background-color:#ffffff;border:1px rgb(171, 171, 171) solid;font-family:'Segoe UI WPC', 'Segoe UI', Tahoma, 'Microsoft Sans Serif', Verdana, sans-serif;font-size:11pt;color:rgb(51, 51, 51);} .ms-cui-menusection-title {display:none;} .ms-cui-ctl {vertical-align:text-top;text-decoration:none;color:rgb(51, 51, 51);} .ms-cui-ctl-on {background-color:rgb(223, 237, 250);opacity: 0.8;} .ms-cui-img-cont-float {display:inline-block;margin-top:2px} .ms-cui-smenu-inner {padding-top:0px;} .ms-owa-paste-option-icon {margin: 2px 4px 0px 4px;vertical-align:sub;padding-bottom: 2px;display:inline-block;} .ms-rtePasteFlyout-option:hover {background-color:rgb(223, 237, 250) !important;opacity:1 !important;} .ms-rtePasteFlyout-option {padding:8px 4px 8px 4px;outline:none;} .ms-cui-menusection {float:left; width:85px;height:24px;overflow:hidden}--></style>
</head>
<body>
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>Hi,<br>
</p>
<p><br>
</p>
<p>We have basically implemented the IKEv2 using EAP-MSCHAPv2 Road Warrior configuration. We are using 2 Android phones with the StrongSwan app on each as road warriors. This is working in that we can authenticate and the road warrior phones each create their
own tunnels to the StrongSwan server and get a assigned a unique address in the 10.3.0.0/24 subnet. They can also see into the private LAN (10.1.0.0/24 subnet) sitting behind the VPN server. However, the road warriors can't see each other over the VPN (i.e.,
road warrior1 (VPN IP 10.3.0.1) can't ping road warrior2 (VPN IP: 10.3.0.2), yet they can see eachother outside the VPN.<br>
</p>
<p><br>
</p>
<p>This makes sense after reading this text found in the StrongSwan Intro:<br>
</p>
<p><br>
</p>
<blockquote style="margin: 0px 0px 0px 40px; border: none; padding: 0px;">
<p><span style="color: #36000c; font-family: verdana, sans-serif; font-size: 11px; line-height: 16.2000007629395px; background-color: #ffffff;">The mentioned distinction between policies and SAs often leads to </span><strong style="color: #36000c; font-family: verdana, sans-serif; font-size: 11px; line-height: 16.2000007629395px; background-color: #ffffff;">misconceptions</strong><span style="color: #36000c; font-family: verdana, sans-serif; font-size: 11px; line-height: 16.2000007629395px; background-color: #ffffff;">.
For instance, referring to the image </span><span style="color: #36000c; font-family: verdana, sans-serif; font-size: 11px; line-height: 16.2000007629395px; background-color: #ffffff;">above, if host moon has a site-to-site tunnel to host sun (connecting the
two networks 10.1.0.0/24 and 10.2.0.0/24), </span><span style="color: #36000c; font-family: verdana, sans-serif; font-size: 11px; line-height: 16.2000007629395px; background-color: #ffffff;">and host carol has a roadwarrior connection to host sun (from which
carol received a virtual IP address of 10.3.0.10), </span><span style="color: #36000c; font-family: verdana, sans-serif; font-size: 11px; line-height: 16.2000007629395px; background-color: #ffffff;">then carol wont be able to automatically communicate with
alice, even if forwarding is enabled on sun. This is because </span><span style="color: #36000c; font-family: verdana, sans-serif; font-size: 11px; line-height: 16.2000007629395px; background-color: #ffffff;">there is no IPsec policy allowing traffic between
carol (10.3.0.10) and alice (10.1.0.10). An additional SA between moon </span><span style="color: #36000c; font-family: verdana, sans-serif; font-size: 11px; line-height: 16.2000007629395px; background-color: #ffffff;">and sun, connecting the virtual subnet
10.3.0.0/24 with 10.1.0.0/24 would be a possible solution to this issue.</span></p>
</blockquote>
<p><br>
</p>
<p>Not the exact same scenario, since both aren't road warrior connections, but it sounds like the same issue.<br>
</p>
<p><br>
</p>
<p>So, my question is, what do I need to added to ipsec.conf so that each Road Warrior that gets added (I want to have more than 2) to 10.3.0.0/24 can see the others as well as the 10.1.0.0/24 private network after authenticating to the VPN?<br>
</p>
<div>
<p><br>
</p>
<p>I assume that the traffic going between the 10.3.0.0/24 virtual IP tunnels still goes to the VPN server first and not directly to the Road Warrior. But I wouldn't mind some clarity on that as well.<br>
</p>
<p><br>
</p>
<p>Thanks,<br>
</p>
<p><br>
</p>
<div><font face="Tahoma" size="2">
<p class="MsoNormal" style="margin: 0in 0in 0pt;"><a name="_MailAutoSig"><em><span style="font-size: 13.5pt; font-family: 'script mt bold';">Daniel J. Levine</span></em><span><!--?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /--><o:p></o:p></span></a></p>
<p class="MsoNormal" style="margin: 0in 0in 0pt;"><span><span style="font-size: 10pt; font-family: arial;">A3C4 Section Supervisor</span><span><o:p></o:p></span></span></p>
<p class="MsoNormal" style="margin: 0in 0in 0pt;"><span><span style="font-size: 10pt; font-family: arial;">Air and Missile Defense Department</span><span><o:p></o:p></span></span></p>
<p class="MsoNormal" style="margin: 0in 0in 0pt;"><span><span style="font-size: 10pt; font-family: arial;">Johns Hopkins University Applied Physics Laboratory</span><span><o:p></o:p></span></span></p>
<p class="MsoNormal" style="margin: 0in 0in 0pt;"><span><span style="font-size: 10pt; font-family: arial;">Phone: (443) 778-3952 (240) 228-3952</span></span><o:p></o:p></p>
</font></div>
</div>
</div>
</body>
</html>