[strongSwan] Site2site VPN Config Examples

Holger Rauch Holger.Rauch at empic.de
Thu Nov 4 15:13:51 CET 2010

Hi Martin,

thanks a lot for your reply.

From: Martin Willi [martin at strongswan.org]
Sent: Thursday, November 04, 2010 11:11
To: Holger Rauch
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Site2site VPN Config Examples

> [...]
>So the "outer" firewall acts as remote-access gateway for road warriors,
>AND makes a net2net connection to your internal network?

The jails should do that for the (encrypted) VPN connection, yes. I'm aware that this is a security risk. Would you recommend using 1 or 2 separate physical machines or a completely different setup for the network toplogy I mentioned in my last mail?

+----+               +-------+               +-------+
| RW | <-- IPsec --> | outer | <-- IPsec --> | inner | <-- plain -->
+----+               +-------+               +-------+

Should work, as long as as you terminate road warrior tunnels at outer,
and not inner. Tunneling a tunnel on a single box is difficult.

Yes, I would terminate road warrior tunnels at outer.

> Since both firewalls are running FreeBSD 8.1 and FreeBSD supports
> jails, I'm thinking of creating a jail on each of the firewalls and
> running the current version of strongSWAN (4.5.0)

I don't have any experience with jails, I don't know how well it works
with IPsec.

> I haven't yet found an example for configuring a site2site network
> with strongSWAN.

You can find a long list of examples in our test-scenario section [1].

>> User authentication is supposed to be performed by a FreeRADIUS
>> server

>We support RADIUS servers via any EAP authentication method. For Linux
>road warriors, EAP-MD5 is fine [2], for Windows 7 (and Linux) you'll
>have to switch to EAP-MSCHAPv2. FreeRADIUS needs a patch to work
>properly with MSCHAPv2.

Is EAP-MSCHAPv2 really the only EAP variant that works with Linux, Windows (both XP and 7), and possible also Mac OS X or are there other possibilities? Which would be the most secure and would work with all mentioned OSes?

> Do you authenticate the net2net tunnel via RADIUS, too?

Not sure on this one yet. Would you recommend it?

>We don't have an
>example, just combine the bits of [2] with [3].

OK. Will try that.


Thanks a lot & kind regards,


THE standard software for Aviation Authorities

This communication contains information which is confidential and may also be privileged. It is for the 
exclusive use of the intended recipient(s). If you are not the intended recipient(s) please note that any 
distribution, copying or use of this communication or the information in it is strictly prohibited. If you have 
received this communication in error please notify us immediately by email or by telephone and then delete 
this email and any copies of it.
Diese E-Mail koennte vertrauliche und/oder rechtlich geschuetzte Informationen enthalten. Wenn Sie nicht 
der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den 
Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser 
Mail sind nicht gestattet.

More information about the Users mailing list