[strongSwan] Strongswan as a VPN Hub with a single network adapter

Kevin Palmer kev at thepub.com
Fri Aug 30 12:21:27 CEST 2013 

Hi Andy,

The routing on the 10.4.0.0 spoke is configured that any communication to
the following subnets
10.30.0.0/16,10.7.0.0/16,10.6.0.0/16,10.3.0.0/16,172.16.0.0/16 will be
routed to the Strongswan VPN gateway public IP (I've yet to setup the
tunnels for 10.30.0.0, 10.7.0.0 and 10.3.0.0)

When I try to connect to an address in the 10.6.0.0/16 subnet it should be
routed through to the hub and then back out to the other spoke but
currently it fails.
Connections to 172.16.0.1 are made successfully.

The routing on the 10.6.0.0 spoke is configured that any communication to
the following subnets
10.30.0.0/16,10.4.0.0/16,10.7.0.0/16,10.3.0.0/16,172.16.0.0/16 will be
routed to the Strongswan VPN gateway public IP (I've yet to setup the
tunnels for 10.30.0.0, 10.7.0.0 and 10.3.0.0)

When I try to connect to an address in the 10.4.0.0/16 subnet it should be
routed through to the hub and then back out to the other spoke but
currently it fails.
Connections to 172.16.0.1 are made successfully.

Many Thanks,

Kevin


On Fri, Aug 30, 2013 at 10:59 AM, Paton, Andy <andy.paton at hp.com> wrote:

>  What is your routing setup on the spokes?****
>
> ** **
>
> Regards,****
>
> ** **
>
> *Andy Paton - *Bsc. (Hons), MBCS*
> *Innovation Engineer
>
> andy.paton at hp.com
>
>
> [image: HP] <http://www.hp.com/>****
>
> ** **
>
> *From:* users-bounces+andy.paton=hp.com at lists.strongswan.org [mailto:
> users-bounces+andy.paton=hp.com at lists.strongswan.org] *On Behalf Of *Kevin
> Palmer
> *Sent:* 30 August 2013 10:32
> *To:* users at lists.strongswan.org
> *Subject:* [strongSwan] Strongswan as a VPN Hub with a single network
> adapter****
>
> ** **
>
> Hi,****
>
>  ****
>
> I have just been using Strongswan for the first time and firstly I’d like
> to say how impressed I was in how easy it was to setup the VPN tunnels. I
> got my two tunnels working within about 20 minutes of installing Strongswan.
> ****
>
>  ****
>
> I have got a hub and two spokes and once the two tunnels were established
> I can successfully communicate between the spokes and the hub.****
>
>  ****
>
> The problem I’ve got however is that each ‘Spoke’ of the VPN cannot
> contact other spokes in the VPN.****
>
>  ****
>
> My first thought that this was that IPv4 Forwarding needs to be enabled
> however enabling IPv4 Forwarding did not solve the problem.****
>
>  ****
>
> I’ve also tried adding each spoke subnet as ‘Left’ subnets in the other
> connections in ipsec.conf but Strongswan reports “no local address found in
> traffic selector 10.6.0.0/24” as that subnet is not allocated to my
> adapter.****
>
>  ****
>
> The other points to note is that my machine has only one network adapter
> which is connected to the internet so to get a local subnet I added a
> second IP address to the adapter (eth0:0)****
>
>  ****
>
> Does anyone have any suggestions on what I should try text?****
>
>  ****
>
> Configuration below…****
>
>  ****
>
> Thanks,****
>
>  ****
>
> Kevin****
>
>  ****
>
> *Interfaces*****
>
> *auto eth0*****
>
> *iface eth0 inet static*****
>
> *    address xxx.xxx.xxx.xxx*****
>
> *    gateway zzz.zzz.zzz.zzz*****
>
> *    netmask 255.255.252.0*****
>
> * *****
>
> *auto lo*****
>
> *iface lo inet loopback*****
>
> * *****
>
> *auto eth0:0*****
>
> *iface eth0:0 inet static*****
>
> *    address 172.16.0.1*****
>
> *    netmask 255.255.0.0*****
>
>  ****
>
> *ipsec.conf*****
>
>  ****
>
> *# ipsec.conf - strongSwan IPsec configuration file*****
>
> * *****
>
> *# basic configuration*****
>
> * *****
>
> *config setup*****
>
> *        # plutodebug=all*****
>
> *        # crlcheckinterval=600*****
>
> *        # strictcrlpolicy=yes*****
>
> *        # cachecrls=yes*****
>
> *        nat_traversal=yes*****
>
> *        charonstart=yes*****
>
> *        plutostart=yes*****
>
> * *****
>
> *# Add connections here.*****
>
> * *****
>
> *conn %default*****
>
> *     ikelifetime=60m*****
>
> *     keylife=20m*****
>
> *     rekeymargin=3m*****
>
> *     keyingtries=1*****
>
> *     keyexchange=ikev2*****
>
> *     authby=secret*****
>
> *     mobike=yes*****
>
> * *****
>
> *# CSVNETKP Connection*****
>
> * *****
>
> *conn csvnetkp*****
>
> *      left=%any*****
>
> *      leftsubnet=172.16.0.0/24,10.6.0.0/24*****
>
> *      leftid=@csvpn.local*****
>
> *      right=aaa.aaa.aaa.aaa*****
>
> *      rightsubnet=10.4.0.0/16*****
>
> *      auto=route*****
>
> *      esp=aes256*****
>
> * *****
>
> * *****
>
> *conn csvnetmsdn2*****
>
> *     left=%any*****
>
> *     leftsubnet=172.16.0.0/24,10.4.0.0/16*****
>
> *     leftid=@csvpn.cirrasoft.local*****
>
> *     right=bbb.bbb.bbb.bbb*****
>
> *     rightsubnet=10.6.0.0/16*****
>
> *     auto=route*****
>
> *     esp=aes256*****
>
> * *****
>
>  ****
>
>  ****
>
> Where ****
>
> xxx.xxx.xxx.xxx is my Public facing address****
>
> zzz.zzz.zzz.zzz is my ISP gateway****
>
> aaa.aaa.aaa.aaa is the Gateway of ‘spoke’ Subnet 10.4.0.0/16****
>
> bbb.bbb.bbb.bbb is the Gateway of ‘spoke’ Subnet 10.6.0.0/16****
>
>  ****
>
> And I have my PSK’s in the secrets file mapped to the two gateways.****
>
>  ****
>
> If anyone can help this would be much appreciated..****
>
>  ****
>
> I'm sure I am almost there but... not quite!****
>
>  ****
>
> Many Thanks,****
>
>  ****
>
> Kevin****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130830/0dd9dcb1/attachment.html>

More information about the Users mailing list