[strongSwan] Site2site VPN Config Examples

Martin Willi martin at strongswan.org
Thu Nov 4 11:11:53 CET 2010

Hi Holger,

> site2site VPN between a jail on my external firewall and a jail my
> internal firewall

> a road warrior can connect to the "outer end" of the site2site VPN and
> is "routed  through" to the internal network 

So the "outer" firewall acts as remote-access gateway for road warriors,
AND makes a net2net connection to your internal network?

+----+               +-------+               +-------+
| RW | <-- IPsec --> | outer | <-- IPsec --> | inner | <-- plain -->
+----+               +-------+               +-------+

Should work, as long as as you terminate road warrior tunnels at outer,
and not inner. Tunneling a tunnel on a single box is difficult.

> Since both firewalls are running FreeBSD 8.1 and FreeBSD supports
> jails, I'm thinking of creating a jail on each of the firewalls and
> running the current version of strongSWAN (4.5.0)

I don't have any experience with jails, I don't know how well it works
with IPsec.

> I haven't yet found an example for configuring a site2site network
> with strongSWAN.

You can find a long list of examples in our test-scenario section [1].

> User authentication is supposed to be performed by a FreeRADIUS
> server

We support RADIUS servers via any EAP authentication method. For Linux
road warriors, EAP-MD5 is fine [2], for Windows 7 (and Linux) you'll
have to switch to EAP-MSCHAPv2. FreeRADIUS needs a patch to work
properly with MSCHAPv2.

Do you authenticate the net2net tunnel via RADIUS, too? We don't have an
example, just combine the bits of [2] with [3].


More information about the Users mailing list