<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
I am new to the topic VPN, IPSec, route, iptables, etc.<br>
<br>
I have the scenario mentioned in the attachment. My IPSec Gateway is
a Lubuntu with two network interfaces. eth0 is connected to the
internal LAN. There is a switch which connects a few Windows
computers with a Cisco RV042 router and the Lubuntu (IPSec Gateway).
The Cisco gives internet acces over a fast internet connection and
has DHCP enabled so that all Windows computers get their IP address
from this router and are able to use internet. At the moment Lubuntu
is configured to a static IP within the Subnet 192.168.1.0/24. On
eth1 there is connected a second modem with the static IP 176.94.x.x
which should be used to create a Site-to-Site IPSec connection to an
other company.<br>
<br>
<u>route looks like this:</u><br>
<br>
<tt>root@vpn-server:~# LANG=C route</tt><tt><br>
</tt><tt>Kernel IP routing table</tt><tt><br>
</tt><tt>Destination Gateway Genmask Flags
Metric Ref Use Iface</tt><tt><br>
</tt><tt>default business-176-09 0.0.0.0 UG
0 0 0 eth1</tt><tt><br>
</tt><tt>176.94.52.88 * 255.255.255.248 U
1 0 0 eth1</tt><tt><br>
</tt><tt>192.168.1.0 * 255.255.255.0 U
1 0 0 eth0</tt><br>
<br>
<u>This /etc/ipsec.conf</u><u>:</u><br>
<br>
<tt>config setup</tt><tt><br>
</tt><tt> charondebug="cfg 2, dmn 2, ike 2, net 2"</tt><tt><br>
</tt><tt><br>
</tt><tt>conn %default</tt><tt><br>
</tt><tt><br>
</tt><tt>conn union</tt><tt><br>
</tt><tt> left=176.94.x.x</tt><tt><br>
</tt><tt> leftsubnet=10.100.1.0/24</tt><tt><br>
</tt><tt> leftsourceip=10.100.1.1</tt><tt><br>
</tt><tt> leftfirewall=yes</tt><tt><br>
</tt><tt> right=83.136.y.y</tt><tt><br>
</tt><tt> rightsubnet=10.251.0.0/16</tt><tt><br>
</tt><tt> auto=add</tt><tt><br>
</tt><tt> ikelifetime=24h</tt><tt><br>
</tt><tt> lifetime=1h</tt><tt><br>
</tt><tt> type=tunnel</tt><tt><br>
</tt><tt> lifebytes=4718592000</tt><tt><br>
</tt><tt> ike=aes256-sha256-modp2048</tt><tt><br>
</tt><tt> esp=aes256-sha256-modp2048</tt><tt><br>
</tt><tt> authby=psk</tt><tt><br>
</tt><tt> keyexchange=ikev1</tt><tt><br>
</tt><tt> lefthostaccess=yes</tt><br>
<br>
<u>This is /etc/strongswan.conf</u><u>:</u><br>
<br>
<tt>charon {</tt><tt><br>
</tt><tt> load_modular = yes</tt><tt><br>
</tt><tt> plugins {</tt><tt><br>
</tt><tt> include strongswan.d/charon/*.conf</tt><tt><br>
</tt><tt> }</tt><tt><br>
</tt><tt>}</tt><tt><br>
</tt><tt><br>
</tt><tt>include strongswan.d/*.conf</tt><br>
<br>
<u>This is ifconfig -a:</u><br>
<tt><br>
</tt><tt>root@vpn-server:~# ifconfig -a</tt><tt><br>
</tt><tt>eth0 Link encap:Ethernet Hardware Adresse
c4:6e:1f:06:10:90 </tt><tt><br>
</tt><tt> inet Adresse:192.168.1.152 Bcast:192.168.1.255
Maske:255.255.255.0</tt><tt><br>
</tt><tt> inet6-Adresse: fe80::c66e:1fff:fe06:1090/64
Gültigkeitsbereich:Verbindung</tt><tt><br>
</tt><tt> UP BROADCAST RUNNING MULTICAST MTU:1500
Metrik:1</tt><tt><br>
</tt><tt> RX-Pakete:1355634 Fehler:0 Verloren:360
Überläufe:0 Fenster:0</tt><tt><br>
</tt><tt> TX-Pakete:12684 Fehler:0 Verloren:0 Überläufe:0
Träger:0</tt><tt><br>
</tt><tt> Kollisionen:0 Sendewarteschlangenlänge:1000 </tt><tt><br>
</tt><tt> RX-Bytes:113088435 (113.0 MB) TX-Bytes:1505232
(1.5 MB)</tt><tt><br>
</tt><tt><br>
</tt><tt>eth1 Link encap:Ethernet Hardware Adresse
00:1b:fc:90:80:51 </tt><tt><br>
</tt><tt> inet Adresse:176.94.x.x Bcast:176.94.x.x
Maske:255.255.255.248</tt><tt><br>
</tt><tt> inet6-Adresse: fe80::21b:fcff:xxxx:xxxx/64
Gültigkeitsbereich:Verbindung</tt><tt><br>
</tt><tt> UP BROADCAST RUNNING MULTICAST MTU:1500
Metrik:1</tt><tt><br>
</tt><tt> RX-Pakete:1955017 Fehler:0 Verloren:0 Überläufe:0
Fenster:0</tt><tt><br>
</tt><tt> TX-Pakete:1898517 Fehler:0 Verloren:0 Überläufe:0
Träger:0</tt><tt><br>
</tt><tt> Kollisionen:0 Sendewarteschlangenlänge:1000 </tt><tt><br>
</tt><tt> RX-Bytes:472209413 (472.2 MB) TX-Bytes:443885596
(443.8 MB)</tt><tt><br>
</tt><tt><br>
</tt><tt>lo Link encap:Lokale Schleife </tt><tt><br>
</tt><tt> inet Adresse:127.0.0.1 Maske:255.0.0.0</tt><tt><br>
</tt><tt> inet6-Adresse: ::1/128
Gültigkeitsbereich:Maschine</tt><tt><br>
</tt><tt> UP LOOPBACK RUNNING MTU:65536 Metrik:1</tt><tt><br>
</tt><tt> RX-Pakete:10137 Fehler:0 Verloren:0 Überläufe:0
Fenster:0</tt><tt><br>
</tt><tt> TX-Pakete:10137 Fehler:0 Verloren:0 Überläufe:0
Träger:0</tt><tt><br>
</tt><tt> Kollisionen:0 Sendewarteschlangenlänge:0 </tt><tt><br>
</tt><tt> RX-Bytes:1341831 (1.3 MB) TX-Bytes:1341831 (1.3
MB)</tt><br>
<br>
<u>This is starting ipsec:</u><br>
<br>
<tt>root@vpn-server:~# ipsec start</tt><tt><br>
</tt><tt>Starting strongSwan 5.1.2 IPsec [starter]...</tt><tt><br>
</tt><tt>root@vpn-server:~# ipsec up union</tt><tt><br>
</tt><tt>initiating Main Mode IKE_SA union[1] to 83.136.y.y</tt><tt><br>
</tt><tt>generating ID_PROT request 0 [ SA V V V V ]</tt><tt><br>
</tt><tt>sending packet: from 176.94.x.x[500] to 83.136.y.y[500]
(196 bytes)</tt><tt><br>
</tt><tt>received packet: from 83.136.y.y[500] to 176.94.x.x[500]
(108 bytes)</tt><tt><br>
</tt><tt>parsed ID_PROT response 0 [ SA V ]</tt><tt><br>
</tt><tt>received NAT-T (RFC 3947) vendor ID</tt><tt><br>
</tt><tt>generating ID_PROT request 0 [ KE No NAT-D NAT-D ]</tt><tt><br>
</tt><tt>sending packet: from 176.94.x.x[500] to 83.136.y.y[500]
(396 bytes)</tt><tt><br>
</tt><tt>received packet: from 83.136.y.y[500] to 176.94.x.x[500]
(456 bytes)</tt><tt><br>
</tt><tt>parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]</tt><tt><br>
</tt><tt>received Cisco Unity vendor ID</tt><tt><br>
</tt><tt>received DPD vendor ID</tt><tt><br>
</tt><tt>received unknown vendor ID:
75:37:a8:c7:39:54:ff:f2:a8:f6:8d:a3:d4:0b:63:11</tt><tt><br>
</tt><tt>received XAuth vendor ID</tt><tt><br>
</tt><tt>generating ID_PROT request 0 [ ID HASH ]</tt><tt><br>
</tt><tt>sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (92
bytes)</tt><tt><br>
</tt><tt>received packet: from 83.136.y.y[500] to 176.94.x.x[500]
(92 bytes)</tt><tt><br>
</tt><tt>parsed ID_PROT response 0 [ ID HASH ]</tt><tt><br>
</tt><tt>IKE_SA union[1] established between
176.94.x.x[176.94.x.x]...83.136.y.y[83.136.y.y]</tt><tt><br>
</tt><tt>scheduling reauthentication in 85375s</tt><tt><br>
</tt><tt>maximum IKE_SA lifetime 85915s</tt><tt><br>
</tt><tt>generating TRANSACTION request 247522367 [ HASH CPRQ(ADDR
DNS) ]</tt><tt><br>
</tt><tt>sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (92
bytes)</tt><tt><br>
</tt><tt>received packet: from 83.136.y.y[500] to 176.94.x.x[500]
(108 bytes)</tt><tt><br>
</tt><tt>parsed INFORMATIONAL_V1 request 2733943088 [ HASH D ]</tt><tt><br>
</tt><tt>received DELETE for IKE_SA union[1]</tt><tt><br>
</tt><tt>deleting IKE_SA union[1] between
176.94.x.x[176.94.x.x]...83.136.y.y[83.136.y.y]</tt><tt><br>
</tt><tt>initiating Main Mode IKE_SA union[2] to 83.136.y.y</tt><tt><br>
</tt><tt>generating ID_PROT request 0 [ SA V V V V ]</tt><tt><br>
</tt><tt>sending packet: from 176.94.x.x[500] to 83.136.y.y[500]
(196 bytes)</tt><tt><br>
</tt><tt>connection 'union' established successfully</tt><tt><br>
</tt><tt>root@vpn-server:~# ipsec status</tt><tt><br>
</tt><tt>Security Associations (1 up, 0 connecting):</tt><tt><br>
</tt><tt> union[1627]: CONNECTING,
176.94.x.x[%any]...83.136.y.y[%any]</tt><br>
<br>
Now I want to be able to ping the computer on the other side with
the IP address 10.251.232.75 from Lubuntu. What have I to do?<br>
Later I want to be able to connect from any Windows PC to the
10.251.232.75. What have I to do then?<br>
I can assume that the other side is configured correctly, so that I
should be able to ping 10.251.232.75 from my side. But first I have
to do things right on my side.<br>
<br>
I thought strongswan would create a virtual interface like openvpn
does. I guess this way I would be able to use this virtual interface
as gateway to the VPN/IPSec tunnel.<br>
What do I need, where can I read about this scenario? Do you need
more information?<br>
<br>
Thank you!<br>
<br>
<pre class="moz-signature" cols="80">--
——————————————————————————————————————————————
Homepage: <a class="moz-txt-link-freetext" href="http://freakscorner.de">http://freakscorner.de</a>
Facebook: <a class="moz-txt-link-freetext" href="http://www.facebook.com/Bastelkeller">http://www.facebook.com/Bastelkeller</a>
Twitter: <a class="moz-txt-link-freetext" href="http://twitter.com/freaks_corner">http://twitter.com/freaks_corner</a>
Youtube: <a class="moz-txt-link-freetext" href="http://youtube.com/tubenic86">http://youtube.com/tubenic86</a></pre>
</body>
</html>