[strongSwan] Problem setting source IP

Dietrich Feist dfeist at bgc-jena.mpg.de
Tue Jul 17 15:43:27 CEST 2012 

Hi!

I am trying to connect a remote site to our internal network with
strongswan. Here is my setup:

Remote site
-----------

- 1 server + additional clients on private subnet 10.3.9.0/24
- server is directly connected to the internet through a DSL line
- server has only one network interface (eth0), so I need virtual IPs
- server is also default gateway for clients on private subnet

IP setup on remote server

eth0:  10.3.9.20   (standard server address on remote side)
eth0:1 10.3.9.1    (default gateway address for clients)
eth0:2 12.34.56.78 (outside connection)

Local site
----------

- several servers and clients on public subnet 31.41.59.0/24
- network is protected by firewall
- 1 gateway server for IPsec is reachable through firewall

IP setup on gateway server

eth0: 31.41.59.26

Clients from both subnets should transparently reach each other through
the IPsec tunnel. Besides, also gateway and remote server have to be
able to talk to each other through the IPsec tunnel directly. I have
tried many configurations but only the one with the four-tunnel example
(2.3) from

http://www.strongswan.org/docs/readme4.htm#section_2.3

works (I know this is outdated). The example 2.4 does not work at all. I
have also tried to adapt the more up-to-date example

http://www.strongswan.org/uml/testresults/ikev1/virtual-ip/

but to no avail. The packets do not go through the tunnel and try to
take the default route instead.

With my working setup, I have one problem: packets from the remote
server appear in the local network with IP address 12.34.56.78. I would
prefer to have them come in with source IP 10.3.9.20 but no luck so far.

Here is my currently working setup:

---
# ipsec.conf - strongSwan IPsec configuration file

config setup
        #plutodebug=control
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        # nat_traversal=yes
        #charonstart=no
        #plutostart=yes

conn %default
        #ikelifetime=60m
        #keylife=20m
        #rekeymargin=3m
        #keyingtries=3
        keyexchange=ikev2
        authby=secret

conn net-net
        leftsubnet=31.41.59.0/24
        rightsubnet=10.3.9.0/24
        #rightsourceip=10.3.9.20
        also=host-host

conn net-host
        leftsubnet=31.41.59.0/24
        #rightsourceip=10.3.9.20
        also=host-host

conn host-net
        rightsubnet=10.3.9.0/24
        #rightsourceip=10.3.9.20
        also=host-host

conn host-host
        left=31.41.59.26
        right=12.34.56.78
        #rightsourceip=10.3.9.20
        auto=start
---

As you can see, I tried to add "rightsourceip" at several points but
every time I uncomment one of them, it breaks the connection.

I would appreciate any help, espcially hints for a less complicated setup.

Kind regards

Dietrich

PS: I am using strongswan 4.4.1-5.2 on Debian Squeeze on both machines.

More information about the Users mailing list