[strongSwan] Strongswan as a VPN Hub with a single network adapter

Kevin Palmer kev at thepub.com
Fri Aug 30 11:32:09 CEST 2013


I have just been using Strongswan for the first time and firstly I’d like
to say how impressed I was in how easy it was to setup the VPN tunnels. I
got my two tunnels working within about 20 minutes of installing Strongswan.

I have got a hub and two spokes and once the two tunnels were established I
can successfully communicate between the spokes and the hub.

The problem I’ve got however is that each ‘Spoke’ of the VPN cannot contact
other spokes in the VPN.

My first thought that this was that IPv4 Forwarding needs to be enabled
however enabling IPv4 Forwarding did not solve the problem.

I’ve also tried adding each spoke subnet as ‘Left’ subnets in the other
connections in ipsec.conf but Strongswan reports “no local address found in
traffic selector” as that subnet is not allocated to my adapter.

The other points to note is that my machine has only one network adapter
which is connected to the internet so to get a local subnet I added a
second IP address to the adapter (eth0:0)

Does anyone have any suggestions on what I should try text?

Configuration below…




*auto eth0*

*iface eth0 inet static*

*    address xxx.xxx.xxx.xxx*

*    gateway zzz.zzz.zzz.zzz*

*    netmask*

* *

*auto lo*

*iface lo inet loopback*

* *

*auto eth0:0*

*iface eth0:0 inet static*

*    address*

*    netmask*


*# ipsec.conf - strongSwan IPsec configuration file*

* *

*# basic configuration*

* *

*config setup*

*        # plutodebug=all*

*        # crlcheckinterval=600*

*        # strictcrlpolicy=yes*

*        # cachecrls=yes*

*        nat_traversal=yes*

*        charonstart=yes*

*        plutostart=yes*

* *

*# Add connections here.*

* *

*conn %default*

*     ikelifetime=60m*

*     keylife=20m*

*     rekeymargin=3m*

*     keyingtries=1*

*     keyexchange=ikev2*

*     authby=secret*

*     mobike=yes*

* *

*# CSVNETKP Connection*

* *

*conn csvnetkp*

*      left=%any*

*      leftsubnet=,*

*      leftid=@csvpn.local*

*      right=aaa.aaa.aaa.aaa*

*      rightsubnet=*

*      auto=route*

*      esp=aes256*

* *

* *

*conn csvnetmsdn2*

*     left=%any*

*     leftsubnet=,*

*     leftid=@csvpn.cirrasoft.local*

*     right=bbb.bbb.bbb.bbb*

*     rightsubnet=*

*     auto=route*

*     esp=aes256*

* *


xxx.xxx.xxx.xxx is my Public facing address

zzz.zzz.zzz.zzz is my ISP gateway

aaa.aaa.aaa.aaa is the Gateway of ‘spoke’ Subnet

bbb.bbb.bbb.bbb is the Gateway of ‘spoke’ Subnet

And I have my PSK’s in the secrets file mapped to the two gateways.

If anyone can help this would be much appreciated..

I'm sure I am almost there but... not quite!

Many Thanks,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130830/eb48f8c3/attachment.html>

More information about the Users mailing list