<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000066" bgcolor="#FFFFFF">
<p>Granted, and actually I'm much further than this now, thanks in
part to your help.</p>
<p>I was seeing whether it's worth bothering here. <br>
</p>
<p>No one seems to be using swanctl judging from no response on
#IRC. It's a far better system than ipsec.conf.</p>
<p>I've given up on my complete LAN using VPN as some devices can
not do IPSec, and I can't figure out how to make them interoperate
with machines running IPSec. So I've relegated myself to using an
IPSec gateway in the LAN to link with outside machines.</p>
<p>I still don't understand the language of swanctl.conf. For
example my best guess is this is correct for the gateway, and the
gateway can still communicate with all non-IPSec machines in the
LAN while running strongswan-swanctl, and I've fixed the SELinux
problems, but it does not work with my remote machines. The
daemon starts just fine and loads all the certs and keys of
course.<br>
</p>
<p>ikev2-pubkey {<br>
version = 2<br>
# proposals =
aes192gcm16-aes128gcm16-aes192-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default<br>
rekey_time = 0s<br>
pools = primary-pool-ipv4 #, primary-pool-ipv6<br>
fragmentation = yes<br>
dpd_delay = 30s<br>
# dpd_timeout doesn't do anything for IKEv2. The general
IKEv2 packet timeouts are used.<br>
local-1 {<br>
cert = cygnus-Cert.pem<br>
id = cygnus.darkmatter.org<br>
}<br>
remote-1 {<br>
# defaults are fine.<br>
}<br>
children {<br>
ikev2-pubkey {<br>
local_ts = 0.0.0.0/0 #,::/0<br>
rekey_time = 0s<br>
dpd_action = clear<br>
# esp_proposals =
aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default<br>
}<br>
}<br>
}<br>
<br>
</p>
<p>So each end should take the other end's public cert, combine it
with its private key, and come up with a symmetric key to
communicate with.</p>
<p>The local_ts determines what traffic is to go in to IPSec, but
that would be all of it. So from another machine in the LAN I aim
at the mailserver outside at 72.251.232.108, if I can somehow make
the LAN direct traffic to the IPSec gateway (which is different
from the LAN gateway), the IPSec gateway should somehow aim it at
the mailserver rather than the remote phone or tablet.</p>
<p>And somehow the IPSec gateway should be able to carry on
simultaneous conversations with the mailserver and phone/tablet,
but surely that means two point-to-point connections..<br>
</p>
<br>
<div class="moz-cite-prefix">On 03/16/2018 05:24 PM, Noel Kuntze
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:2c3fcd2b-b17d-1ccd-b9b3-726f82a08203@thermi.consulting">
<pre wrap="">We two talked about this on IRC about two weeks ago. Use the Host-To-Host transport mode configuration on the bottom of the UsableExamples page.
How you authenticate the hosts is up to you. Preferably, you want to have some central PKI that you use. Maybe put the keys in DNS using the ipseckey plugin, but I haven't tested that yet.
Kind regards
Noel
On 17.03.2018 01:16, Info wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
Nothing. Hm.
On 03/07/2018 06:47 AM, Info wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
Any input would be appreciated.
On 03/05/2018 05:25 PM, Info wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
On 03/05/2018 12:13 PM, Info wrote:
</pre>
<blockquote type="cite">
<pre wrap="">
I'm looking to VPN every machine in a LAN. I infer that this would be something like a host-to-host config.
I'll use swanctl/vici and x509 certs.
I can't identify any configurations that seem right for this at
<a class="moz-txt-link-freetext" href="https://www.strongswan.org/testing/testresults/swanctl/">https://www.strongswan.org/testing/testresults/swanctl/</a>
Maybe? <a class="moz-txt-link-freetext" href="https://www.strongswan.org/testing/testresults/swanctl/ip-pool/index.html">https://www.strongswan.org/testing/testresults/swanctl/ip-pool/index.html</a>
Also, there is a machine outside on the Internet which I'd like to join the party transparently. It's a mail server, so somehow I'd like its mail traffic to not be VPNed, but everything else to be. I guess this might be a roadwarrior with some kind of split for the mail ports.
</pre>
</blockquote>
<pre wrap="">
So my best idea, since IPSec is point-to-point, is to set up a 'hub and spoke' config. IOW designate one machine as the hub and its remote_addrs are IPs of the multiple other members of the LAN which will be in the VPN. Or maybe just the CIDR/24 of the LAN. And all the other members would point to the hub with their remote_addrs. The hub would be a juicy target for attack though, and forwarding must be on.
Of course the traffic selectors would be the CIDR/24 of the LAN, although I haven't figured out how to include a remote machine in the ts since its IP could change. Maybe I could use its resolvable domain name, and DNAT it in through the firewall to the hub. But this doesn't solve the problem of phones and tablets which change outside IPs and don't have resolvable domain names.
And what would 'remote' id= be in the hub? %any?
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<br>
</body>
</html>