[strongSwan] One IPsec client talk to another through the SeGW ?

Graham Hudspith graham.hudspith at gmail.com
Fri Mar 4 13:48:25 CET 2011


Thanks for that. Unfortunately, all of these abstract labels are making my
head hurt. Let's try some real numbers.

Host A and Host B have local IP addresses in the 192.16.50.xxx subnet.

The SeGW has an unsecure IP address (i.e. on eth0) in the 172.16.xxx.xxx
subnet and a secure IP address (i.e. on eth1) in the 172.17.xxx.xxx subnet.

The SeGW is configured to hand out virtual IP addresses to Hosts A and B
using the 10.15.xxx.xxx subnet.

So, we want Host A to be able to talk to other entities in the 10.15.xxx.xxx
subnet using IPsec (i.e. Host A <-> Host B via SeGW) and ALSO we want Host A
and Host B to be able to talk to entities on the secure side of the SeGW
(i.e. other servers on the 172.17.xxx.xxx subnet).

So, currently, on the SeGW we have:

conn a-b-gw


Does this make sense ?



On 4 March 2011 10:58, Andreas Steffen <andreas.steffen at strongswan.org>wrote:

> this is an easy one:
> ipsec.conf of host A:
> conn a-b
>     left=IP_A
>     right=IP_GW
>     rightsubnet=IP_B/32
> ipsec.conf of gateway GW:
> conn a-gw
>     left=IP_GW
>     leftsubnet=IP_B
>     right=IP_A
> conn b-gw
>     left=IP_GW
>     leftsubnet=IP_A
>     right=IP_B
> ipsec.conf of host B
> conn b-a
>     left=IP_B
>     right=IP_GW
>     rightsubnet=IP_A/32
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110304/91b6f033/attachment.html>

More information about the Users mailing list