[strongSwan] Strongswan as a VPN Hub with a single network adapter

Paton, Andy andy.paton at hp.com
Fri Aug 30 11:59:29 CEST 2013 

What is your routing setup on the spokes?

Regards,

Andy Paton - Bsc. (Hons), MBCS
Innovation Engineer

andy.paton at hp.com<mailto:andy.paton at hp.com>


[HP]<http://www.hp.com/>

From: users-bounces+andy.paton=hp.com at lists.strongswan.org [mailto:users-bounces+andy.paton=hp.com at lists.strongswan.org] On Behalf Of Kevin Palmer
Sent: 30 August 2013 10:32
To: users at lists.strongswan.org
Subject: [strongSwan] Strongswan as a VPN Hub with a single network adapter

Hi,

I have just been using Strongswan for the first time and firstly I'd like to say how impressed I was in how easy it was to setup the VPN tunnels. I got my two tunnels working within about 20 minutes of installing Strongswan.



I have got a hub and two spokes and once the two tunnels were established I can successfully communicate between the spokes and the hub.



The problem I've got however is that each 'Spoke' of the VPN cannot contact other spokes in the VPN.



My first thought that this was that IPv4 Forwarding needs to be enabled however enabling IPv4 Forwarding did not solve the problem.



I've also tried adding each spoke subnet as 'Left' subnets in the other connections in ipsec.conf but Strongswan reports "no local address found in traffic selector 10.6.0.0/24<http://10.6.0.0/24>" as that subnet is not allocated to my adapter.



The other points to note is that my machine has only one network adapter which is connected to the internet so to get a local subnet I added a second IP address to the adapter (eth0:0)



Does anyone have any suggestions on what I should try text?



Configuration below...



Thanks,



Kevin



Interfaces

auto eth0

iface eth0 inet static

    address xxx.xxx.xxx.xxx

    gateway zzz.zzz.zzz.zzz

    netmask 255.255.252.0



auto lo

iface lo inet loopback



auto eth0:0

iface eth0:0 inet static

    address 172.16.0.1

    netmask 255.255.0.0



ipsec.conf



# ipsec.conf - strongSwan IPsec configuration file



# basic configuration



config setup

        # plutodebug=all

        # crlcheckinterval=600

        # strictcrlpolicy=yes

        # cachecrls=yes

        nat_traversal=yes

        charonstart=yes

        plutostart=yes



# Add connections here.



conn %default

     ikelifetime=60m

     keylife=20m

     rekeymargin=3m

     keyingtries=1

     keyexchange=ikev2

     authby=secret

     mobike=yes



# CSVNETKP Connection



conn csvnetkp

      left=%any

      leftsubnet=172.16.0.0/24,10.6.0.0/24<http://172.16.0.0/24,10.6.0.0/24>

      leftid=@csvpn.local<mailto:leftid=@csvpn.local>

      right=aaa.aaa.aaa.aaa

      rightsubnet=10.4.0.0/16<http://10.4.0.0/16>

      auto=route

      esp=aes256





conn csvnetmsdn2

     left=%any

     leftsubnet=172.16.0.0/24,10.4.0.0/16<http://172.16.0.0/24,10.4.0.0/16>

     leftid=@csvpn.cirrasoft.local<mailto:leftid=@csvpn.cirrasoft.local>

     right=bbb.bbb.bbb.bbb

     rightsubnet=10.6.0.0/16<http://10.6.0.0/16>

     auto=route

     esp=aes256







Where

xxx.xxx.xxx.xxx is my Public facing address

zzz.zzz.zzz.zzz is my ISP gateway

aaa.aaa.aaa.aaa is the Gateway of 'spoke' Subnet 10.4.0.0/16<http://10.4.0.0/16>

bbb.bbb.bbb.bbb is the Gateway of 'spoke' Subnet 10.6.0.0/16<http://10.6.0.0/16>


And I have my PSK's in the secrets file mapped to the two gateways.

If anyone can help this would be much appreciated..

I'm sure I am almost there but... not quite!

Many Thanks,

Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130830/bbc25636/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3690 bytes
Desc: image001.png
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130830/bbc25636/attachment.png>

More information about the Users mailing list