[strongSwan] One IPsec client talk to another through the SeGW ?
Graham Hudspith
graham.hudspith at gmail.com
Fri Mar 4 13:48:25 CET 2011
Andreas,
Thanks for that. Unfortunately, all of these abstract labels are making my
head hurt. Let's try some real numbers.
Host A and Host B have local IP addresses in the 192.16.50.xxx subnet.
The SeGW has an unsecure IP address (i.e. on eth0) in the 172.16.xxx.xxx
subnet and a secure IP address (i.e. on eth1) in the 172.17.xxx.xxx subnet.
The SeGW is configured to hand out virtual IP addresses to Hosts A and B
using the 10.15.xxx.xxx subnet.
So, we want Host A to be able to talk to other entities in the 10.15.xxx.xxx
subnet using IPsec (i.e. Host A <-> Host B via SeGW) and ALSO we want Host A
and Host B to be able to talk to entities on the secure side of the SeGW
(i.e. other servers on the 172.17.xxx.xxx subnet).
So, currently, on the SeGW we have:
conn a-b-gw
left=segw.foobar.com
leftsubnet=0.0.0.0/0
leftfirewall=yes
rightsourceip=10.15.0.0/24
Does this make sense ?
Regards,
Graham.
On 4 March 2011 10:58, Andreas Steffen <andreas.steffen at strongswan.org>wrote:
> this is an easy one:
>
> ipsec.conf of host A:
>
> conn a-b
> left=IP_A
> right=IP_GW
> rightsubnet=IP_B/32
>
> ipsec.conf of gateway GW:
>
> conn a-gw
> left=IP_GW
> leftsubnet=IP_B
> right=IP_A
>
> conn b-gw
> left=IP_GW
> leftsubnet=IP_A
> right=IP_B
>
> ipsec.conf of host B
>
> conn b-a
> left=IP_B
> right=IP_GW
> rightsubnet=IP_A/32
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110304/91b6f033/attachment.html>
More information about the Users
mailing list