<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Folks,<br>
<br>
I am lost. Not making headway with examples I have found.<br>
The Security Associations will have 1 connecting from time to
time.<br>
<br>
Does anyone see anything wrong with the ipsec.confs files?<br>
Does anyone who works with StrongSwan is close to Pittsburgh, PA
USA?<br>
<br>
Thanks for your review.<br>
<u><b><br>
</b></u><u><b>My SUN is setup with<br>
<br>
</b></u>
<blockquote>
<blockquote>config setup<br>
<br>
conn %default<br>
ikelifetime=60m<br>
keylife=20m<br>
rekeymargin=3m<br>
keyingtries=1<br>
authby=secret<br>
keyexchange=ikev2<br>
mobike=no<br>
<br>
conn net-net<br>
left=domain.org<br>
leftsubnet=192.168.200.0/24<br>
leftid=@NOC<br>
leftfirewall=yes<br>
right=%any<br>
rightsubnet=10.0.0.0/24<br>
rightid=@Site1<br>
auto=add<br>
</blockquote>
</blockquote>
<u><b><br>
<br>
The Moon Side with<br>
<br>
</b></u>
<blockquote>config setup<br>
<br>
conn %default<br>
ikelifetime=60m<br>
keylife=20m<br>
rekeymargin=3m<br>
keyingtries=1<br>
authby=secret<br>
keyexchange=ikev2<br>
mobike=no<br>
<br>
conn net-net<br>
left=%any<br>
leftsubnet=10.0.0.0/24<br>
leftid=@Site1<br>
leftfirewall=yes<br>
right=domain.org<br>
rightsubnet=192.168.200.0/24<br>
rightid=@NOC<br>
auto=add<br>
</blockquote>
<u><b>FROM SUN<br>
</b></u>
<blockquote>[root@vpn strongswan]# strongswan statusall<br>
<br>
Status of IKE charon daemon (strongSwan 5.2.0, Linux
2.6.32-504.1.3.el6.x86_64, x86_64):<br>
uptime: 7 minutes, since Nov 29 09:14:18 2014<br>
malloc: sbrk 376832, mmap 0, used 356032, free 20800<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
0/0/0/0, scheduled: 0<br>
loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5
random nonce x509 revocation constraints acert pubkey pkcs1
pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc
cmac hmac attr kernel-netlink resolve socket-default farp stroke
vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls
eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth
dhcp<br>
Listening IP addresses:<br>
192.168.200.214<br>
Connections:<br>
net-net: domain.org...%any IKEv2<br>
net-net: local: [NOC] uses pre-shared key authentication<br>
net-net: remote: [Site1] uses pre-shared key
authentication<br>
net-net: child: 192.168.200.0/24 === 10.0.0.0/24 TUNNEL<br>
Security Associations (0 up, 0 connecting):<br>
none<br>
<br>
<u><b><br>
</b></u></blockquote>
<u><b>FROM MOOM<br>
<br>
</b></u>[root@localhost strongswan]# strongswan statusall<br>
<br>
Status of IKE charon daemon (strongSwan 5.2.0, Linux
3.10.0-123.9.3.el7.x86_64, x86_64):<br>
uptime: 6 seconds, since Nov 29 09:25:43 2014<br>
malloc: sbrk 1757184, mmap 0, used 385312, free 1371872<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
0/0/0/0, scheduled: 0<br>
loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12
pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr
kernel-netlink resolve socket-default farp stroke vici updown
eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls
eap-peap xauth-generic xauth-eap xauth-pam dhcp<br>
Listening IP addresses:<br>
192.168.201.164<br>
Connections:<br>
net-net: %any...domain.org IKEv2<br>
net-net: local: [Site1] uses pre-shared key authentication<br>
net-net: remote: [NOC] uses pre-shared key authentication<br>
net-net: child: 10.0.0.0/24 === 192.168.200.0/24 TUNNEL<br>
Security Associations (0 up, 0 connecting):<br>
none<br>
<u><b><br>
</b></u><u><b><br>
<br>
<br>
</b></u><br>
On 11/25/2014 1:09 PM, Noel Kuntze wrote:<br>
</div>
<blockquote cite="mid:5474C5BC.2040002@familie-kuntze.de"
type="cite">
<pre wrap="">
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Matthew,
This can be done, however you need to take into account, that you might have to add routes to your managed
networks if the strongSwan server in your LAN isn't the default router.
See [1] for all the needed information.
As Tobias wrote, you will do very well with having different networks on the different locations or you'd
have to fiddle around with the NETMAP target in iptables to map conflicting networks onto other subnets.
To realize this, you could use a distinct IP range for your moon boxes and assign them an IP from a static
pool in strongSwan using virtual IPs. The local traffic selector on SUN would be your LAN and the remote traffic
selector would be 0.0.0.0/0. On the moon boxes, the local traffic selector would be the LAN and %dynamic, if
that configuration is allowed. In you own LAN, the distinct IP range for the moon boxes would be routed over SUN
and authentication would be done with certificates and a trusted CA.
This description of a configuration is based on [2] and [3].
[1] <a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling">https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling</a>
[2] <a class="moz-txt-link-freetext" href="http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/">http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/</a>
[3] <a class="moz-txt-link-freetext" href="http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/">http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/</a>
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 25.11.2014 um 11:46 schrieb Matthew Ferry [PITSDC]:
</pre>
<blockquote type="cite">
<pre wrap="">Folks,
Good Morning. I posted a message/Issue in the Bug Tracker system the other day.
I am looking for some help getting started.
I have a project that I think strongSwan will be perfect for.
I have looked at examples, but am overwhelmed with options and possibilities.
Here is a URL to the posting I made:
<a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/issues/773">https://wiki.strongswan.org/issues/773</a>
IN REPLY to Tobias Brunner's comment ---
Each location can have its own subnet. I would like to management this IP plan from one central location.
The number of needed IPs will change based on the location.
Thanks for any input.
I am looking forward to moving forward quickly.
Thanks
Matt
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre wrap="">
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUdMW8AAoJEDg5KY9j7GZYzw4P/RSV8XYL/9nWoXTxjwX7UvyY
3V7kg3KS08+8dudVMQgnWYHJjhGwsjCRnKzZ2ze6PWCp5yuBnZAipkLdQzT7jKxV
ovczRy20rwn4Zoqi8VqkFbzG+k2tAulHT8jiUgfz4EPxMTwjErVBrFiRvkeFVCM2
W6AIDEudgvfxdhAwQOazjkmMNfQ+/Mg4t1nrbxMXmHUrRcIs+rMZzJP9vFMCnQnc
ybrLp68doydNUbl1ArqjLmR4WqGNrJhXWaGiHAt5yhzVpFlQD9QRO/xkdPXV/Zz5
zzWkCyKGqYqpmHBH7MexYIE8xZJhax8G2aqWrDOgpIsA31l9OWTr6lpqow6V1iwv
qJcdi3MbF+8cgx45W+4t2bYD1Gf0TeqYOWccxKBgnqhEgajWpodAH37WTH2kuPaQ
m8to3jFYb+mE5gDD7978KvG00sgS5VxF02MnckOwc7M1yVEEgLmbQJeL740nDcsO
dfBtlKIJNpeKqT+tZ80/ef6GZ5fiX57XK4TytBNLjHe+yBkSh4TDi2PqBMGUh85s
bmisUmi2bKhsO2Li8iWRW6NfQ+vwD29mqu7PjxfZeXAe1ho7PolC2LBPHJ3iT/Ly
lEOIdejDrjmjsYLx1FRnnSZM988L1I46DK3BpYmp9e8lJ5akV9czRjFAH5Ntsdeg
GddJ9EYlqXcd1Sa2Hov9
=bLBd
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
-
Thanks and Regards,<br>
<br>
Matthew R. Ferry<br>
General Manager<br>
<br>
<img src="cid:part1.02080102.02020708@pitsdc.com" height="75"><br>
<br>
One Oxford Centre<br>
301 Grant Street, Suite 4300<br>
Pittsburgh, Pennsylvania 15219<br>
United States<br>
<br>
Toll Free: 855-4-PITSDC<br>
Local Fax: 412-368-9021<br>
<br>
Departments: <a href="http://development.pitsdc.com">Development</a>
| <a href="http://itservices.pitsdc.com">IT Services</a> | <a
href="http://hosting.pitsdc.com">Hosting</a><br>
<br>
Follow Us: Twitter <a href="www.twitter.com/pitsdc"> @PITSDC </a>
| Facebook <a href="www.facebook.com/pitsdc"> /PITSDC </a></div>
</body>
</html>