<div dir="ltr"><div><div class="gmail_signature"><div dir="ltr"><div><div><div><font face="monospace, monospace">Hi All, I have some virtual machine instances in different providers and I want to make a connection</font></div><div><font face="monospace, monospace">among them using IPSec + Virtual IP.</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">I got already the PKI working, tunnel working. However when I connect, the client machine gets the Virtual IP from the Server </font></div><div><font face="monospace, monospace">but the server doesn't get a virtual IP.</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">The point is, I'm not so sure what to look for. This setup, excluding the PKI, works fine with openSSH, but we want to change to IPSec.</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">Any suggestions? Thanks in advance!</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">This is how its working right now.</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">+-----------+ +-----------+</font></div><div><font face="monospace, monospace">| moon |-------------| sun |</font></div><div><font face="monospace, monospace">+-----------+ +-----------+</font></div><div><font face="monospace, monospace">Public IP: 213.X.X.X Public IP: 213.X.X.X</font></div><div><font face="monospace, monospace">After connection:</font></div><div><font face="monospace, monospace">Virtual IP: Doesn't have Virtual IP: 192.168.200.1</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">This is what I'm looking for:</font></div><div><font face="monospace, monospace">+-----------+ +-----------+</font></div><div><font face="monospace, monospace">| moon |-------------| sun |</font></div><div><font face="monospace, monospace">+-----------+ +-----------+</font></div><div><font face="monospace, monospace">Public IP: 213.X.X.X Public IP: 213.X.X.X</font></div><div><font face="monospace, monospace">After connection:</font></div><div><font face="monospace, monospace">Virtual IP: 192.168.200.1 Virtual IP: 192.168.200.2</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">====================================================================================</font></div><div><font face="monospace, monospace"> Moon Ipsec.conf</font></div><div><font face="monospace, monospace">====================================================================================</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"># /etc/ipsec.conf - strongSwan IPsec configuration file</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">config setup</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">conn %default</font></div><div><font face="monospace, monospace"> ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!</font></div><div><font face="monospace, monospace"> esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!</font></div><div><font face="monospace, monospace"> ikelifetime=60m</font></div><div><font face="monospace, monospace"> keylife=20m</font></div><div><font face="monospace, monospace"> rekeymargin=3m</font></div><div><font face="monospace, monospace"> keyingtries=1</font></div><div><font face="monospace, monospace"> keyexchange=ikev2</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"> left=%any</font></div><div><font face="monospace, monospace"># leftsubnet=<a href="http://192.168.200.0/28">192.168.200.0/28</a></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">conn monitoring-host</font></div><div><font face="monospace, monospace"> leftcert=vpnHostCert.pem</font></div><div><font face="monospace, monospace"> right=%any</font></div><div><font face="monospace, monospace"> rightsourceip=<a href="http://192.168.200.0/24">192.168.200.0/24</a></font></div><div><font face="monospace, monospace"># rightsourceip=%config</font></div><div><font face="monospace, monospace"> auto=add</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">====================================================================================</font></div><div><font face="monospace, monospace"> Sun Ipsec.conf</font></div><div><font face="monospace, monospace">====================================================================================</font></div><div><font face="monospace, monospace"># ipsec.conf - strongSwan IPsec configuration file</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"># basic configuration</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">config setup</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">conn home</font></div><div><font face="monospace, monospace"># leftsourceip=%config # Gets a virtual IP</font></div><div><font face="monospace, monospace"> leftsourceip=192.168.200.70</font></div><div><font face="monospace, monospace"> leftcert=demoCert.pem</font></div><div><font face="monospace, monospace"> right=213.X.X.X</font></div><div><font face="monospace, monospace"> rightid="C=DE, O=xxxxxxx, CN=xxxxx.xxxx.xxx"</font></div><div><font face="monospace, monospace"> auto=start</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">include /var/lib/strongswan/ipsec.conf.inc</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">====================================================================================</font></div><div><font face="monospace, monospace"> Moon ipsec statusall</font></div><div><font face="monospace, monospace">====================================================================================</font></div><div><font face="monospace, monospace">Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64):</font></div><div><font face="monospace, monospace"> uptime: 27 minutes, since Feb 17 10:03:10 2016</font></div><div><font face="monospace, monospace"> malloc: sbrk 2568192, mmap 0, used 588816, free 1979376</font></div><div><font face="monospace, monospace"> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5</font></div><div><font face="monospace, monospace"> loaded plugins: charon aes sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl openssl revocation hmac xcbc stroke kernel-netlink socket-default updown</font></div><div><font face="monospace, monospace">Virtual IP pools (size/online/offline):</font></div><div><font face="monospace, monospace"> <a href="http://192.168.200.0/24">192.168.200.0/24</a>: 254/1/0</font></div><div><font face="monospace, monospace">Listening IP addresses:</font></div><div><font face="monospace, monospace"> 213.xxx.xxx.xxx</font></div><div><font face="monospace, monospace"> 2a02:xxxx:xxxx:xxxx::xxxx</font></div><div><font face="monospace, monospace">Connections:</font></div><div><font face="monospace, monospace">monitoring-host: %any...%any IKEv2</font></div><div><font face="monospace, monospace">monitoring-host: local: [C=DE, O=xxxx, CN=xxxx] uses public key authentication</font></div><div><font face="monospace, monospace">monitoring-host: cert: "C=DE, O=xxxx, CN=xxxx"</font></div><div><font face="monospace, monospace">monitoring-host: remote: uses public key authentication</font></div><div><font face="monospace, monospace">monitoring-host: child: dynamic === dynamic TUNNEL</font></div><div><font face="monospace, monospace">Security Associations (1 up, 0 connecting):</font></div><div><font face="monospace, monospace">monitoring-host[4]: ESTABLISHED 4 seconds ago, 213.xxx.xxx.xxx[C=DE, O=xxxx, CN=xxxx]...213.xxx.xxx.xxx[C=DE, O=xxxx, CN=xxxx]</font></div><div><font face="monospace, monospace">monitoring-host[4]: IKEv2 SPIs: b130789ba42ee258_i fca69a6e36637e94_r*, public key reauthentication in 54 minutes</font></div><div><font face="monospace, monospace">monitoring-host[4]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256</font></div><div><font face="monospace, monospace">monitoring-host{2}: INSTALLED, TUNNEL, ESP SPIs: c2484a7c_i cba73ced_o</font></div><div><font face="monospace, monospace">monitoring-host{2}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 15 minutes</font></div><div><font face="monospace, monospace">monitoring-host{2}: 213.xxx.xxx.xxx/32 === <a href="http://192.168.200.1/32">192.168.200.1/32</a> </font></div></div></div></div></div></div>
</div>