<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><font face="Helvetica, Arial, sans-serif">Hi Tobias</font></p>
<p><font face="Helvetica, Arial, sans-serif">Sorry for the late
response. I already changed the conf yesterday and found out,
that my vServer does not have the required kernel modules
built-in.<br>
So I had to request a new cloud based server and move all my web
sites and VPN connection details to the new server.</font></p>
<p><font face="Helvetica, Arial, sans-serif">Many thanks, here is
the result of your proposed changes:<br>
connection 'vpn-first' established successfully</font></p>
<p><font face="Helvetica, Arial, sans-serif">Should I document this
setup somewhere on the Wiki?<br>
</font></p>
<p><font face="Helvetica, Arial, sans-serif">Out of curiosity, how
would you configure the server and client if I would like to add
vpn-third subnet with 192.168.3.0?</font></p>
<p><font face="Helvetica, Arial, sans-serif">Best regards<br>
Martin<br>
</font></p>
<p><font face="Helvetica, Arial, sans-serif"><br>
</font></p>
<div class="moz-cite-prefix">On 07/13/2016 03:49 PM, Tobias Brunner
wrote:<br>
</div>
<blockquote cite="mid:578646F9.60303@strongswan.org" type="cite">
<pre wrap="">Hi Martin,
</pre>
<blockquote type="cite">
<pre wrap="">Regarding #1, on the server I have configured another IP address for the
network device:
ip addr add 192.168.1.0/24 dev eth0
Do I need to add a route as well?
</pre>
</blockquote>
<pre wrap="">
You won't need either of that to connect the two subnets.
</pre>
<blockquote type="cite">
<pre wrap="">Central server internal IP: 192.168.1.0, external IP: vpn.example.org
First home gateway: 192.168.0.1/24
Second home gateway: 192.168.2.1/24
Please find below my ipsec.conf
</pre>
</blockquote>
<pre wrap="">
See my comments below.
</pre>
<blockquote type="cite">
<pre wrap="">The connection seems to be established, but I get the following error
message on the server:
traffic selectors 192.168.1.0/32 192.168.2.0/24 === 192.168.1.0/24
inacceptable
failed to establish CHILD_SA, keeping IKE_SA
On the first gateway I get:
installing new virtual IP 192.168.0.1
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
</pre>
</blockquote>
<pre wrap="">
Since you simply want to set up a site-site tunnel the use of virtual
IPs (left|rightsourceip) is completely misplaced.
</pre>
<blockquote type="cite">
<pre wrap="">## Server.conf
config setup
conn base
...
leftsubnet=192.168.1.0
</pre>
</blockquote>
<pre wrap="">
What you actually want is to use leftsubnet=<subnet 2> for the
connection with 1 and leftsubnet=<subnet 1> for the connection with 2.
The server does obviously not have to be directly connected to these
subnets but this will result in the correct IPsec policies for the
traffic to get tunneled via the central server. So remove the above
line and then change the rest as follows:
</pre>
<blockquote type="cite">
<pre wrap="">...
conn vpn-first
</pre>
</blockquote>
<pre wrap=""> also=base
</pre>
<blockquote type="cite">
<pre wrap=""> auto = add
rightcert = firstCert.pem
rightsubnet = 192.168.0.0/24
</pre>
</blockquote>
<pre wrap=""> leftsubnet = 192.168.2.0/24
Remove:
</pre>
<blockquote type="cite">
<pre wrap=""> rightsourceip = 192.168.0.1
conn vpn-mann
</pre>
</blockquote>
<pre wrap=""> also=base
</pre>
<blockquote type="cite">
<pre wrap=""> auto = add
rightcert = secondCert.pem
rightsubnet = 192.168.2.0/24
</pre>
</blockquote>
<pre wrap=""> leftsubnet = 192.168.0.0/24
Remove:
</pre>
<blockquote type="cite">
<pre wrap=""> rightsourceip = 192.168.2.1
# First gateway ipsec.conf (second one skipped for the moment)
...
conn vpn-stern
...
</pre>
</blockquote>
<pre wrap="">Remove 192.168.1.0 from:
</pre>
<blockquote type="cite">
<pre wrap=""> rightsubnet = 192.168.1.0,192.168.2.0/24
...
</pre>
</blockquote>
<pre wrap="">Remove:
</pre>
<blockquote type="cite">
<pre wrap=""> leftsourceip = %config4
</pre>
</blockquote>
<pre wrap="">
Regards,
Tobias
</pre>
</blockquote>
<br>
</body>
</html>