[strongSwan] Site2site VPN Config Examples
Martin Willi
martin at strongswan.org
Thu Nov 4 11:11:53 CET 2010
Hi Holger,
> site2site VPN between a jail on my external firewall and a jail my
> internal firewall
> a road warrior can connect to the "outer end" of the site2site VPN and
> is "routed through" to the internal network
So the "outer" firewall acts as remote-access gateway for road warriors,
AND makes a net2net connection to your internal network?
+----+ +-------+ +-------+
| RW | <-- IPsec --> | outer | <-- IPsec --> | inner | <-- plain -->
+----+ +-------+ +-------+
Should work, as long as as you terminate road warrior tunnels at outer,
and not inner. Tunneling a tunnel on a single box is difficult.
> Since both firewalls are running FreeBSD 8.1 and FreeBSD supports
> jails, I'm thinking of creating a jail on each of the firewalls and
> running the current version of strongSWAN (4.5.0)
I don't have any experience with jails, I don't know how well it works
with IPsec.
> I haven't yet found an example for configuring a site2site network
> with strongSWAN.
You can find a long list of examples in our test-scenario section [1].
> User authentication is supposed to be performed by a FreeRADIUS
> server
We support RADIUS servers via any EAP authentication method. For Linux
road warriors, EAP-MD5 is fine [2], for Windows 7 (and Linux) you'll
have to switch to EAP-MSCHAPv2. FreeRADIUS needs a patch to work
properly with MSCHAPv2.
Do you authenticate the net2net tunnel via RADIUS, too? We don't have an
example, just combine the bits of [2] with [3].
[1]http://strongswan.org/uml/testresults/ikev2/
[2]http://strongswan.org/uml/testresults/ikev2/rw-eap-md5-radius/
[3]http://strongswan.org/uml/testresults/ikev2/net2net-cert/
More information about the Users
mailing list