[strongSwan] Strongswan as a VPN Hub with a single network adapter

Noel Kuntze noel at familie-kuntze.de
Fri Aug 30 12:56:30 CEST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

I don't think using rightsubnet is correct in this case, as it only applies to networks that are physically attached to the remote host.
You can however, customize the _updown script to set routes to the remote subnets that go through the VPN responder.
The _updown script is in /lib/strongswan/. You should create a copy of it and adjust up-host, down-host, up-client and/or down-client.
Read the comments on the cases in the switch case of the script to determine what needs to be adjusted.
I don't know if it will work, as I don't know if strongSwan will reject the traffic to subnets that are not physically attached to it.

Regards,
Noel Kuntze

On 30.08.2013 12:21, Kevin Palmer wrote:
> Hi Andy,
> 
> The routing on the 10.4.0.0 spoke is configured that any communication to the following subnets
> 10.30.0.0/16,10.7.0.0/16,10.6.0.0/16,10.3.0.0/16,172.16.0.0/16 <http://10.30.0.0/16,10.7.0.0/16,10.6.0.0/16,10.3.0.0/16,172.16.0.0/16> will be routed to the Strongswan VPN gateway public IP (I've yet to setup the tunnels for 10.30.0.0, 10.7.0.0 and 10.3.0.0)
> 
> When I try to connect to an address in the 10.6.0.0/16 <http://10.6.0.0/16> subnet it should be routed through to the hub and then back out to the other spoke but currently it fails.
> Connections to 172.16.0.1 are made successfully.
> 
> The routing on the 10.6.0.0 spoke is configured that any communication to the following subnets
> 10.30.0.0/16,10.4.0.0/16,10.7.0.0/16,10.3.0.0/16,172.16.0.0/16 <http://10.30.0.0/16,10.4.0.0/16,10.7.0.0/16,10.3.0.0/16,172.16.0.0/16> will be routed to the Strongswan VPN gateway public IP (I've yet to setup the tunnels for 10.30.0.0, 10.7.0.0 and 10.3.0.0)
> 
> When I try to connect to an address in the 10.4.0.0/16 <http://10.4.0.0/16> subnet it should be routed through to the hub and then back out to the other spoke but currently it fails.
> Connections to 172.16.0.1 are made successfully.
>
> Many Thanks,
> 
> Kevin
>
> 
> On Fri, Aug 30, 2013 at 10:59 AM, Paton, Andy <andy.paton at hp.com <mailto:andy.paton at hp.com>> wrote:
>
>     What is your routing setup on the spokes?
>
>     
>
>     Regards,
>
>     
>
>     *Andy Paton - *Bsc. (Hons), MBCS*
>     *Innovation Engineer
>
>     andy.paton at hp.com <mailto:andy.paton at hp.com>
>
>
>     HP <http://www.hp.com/>
>
>     
>
>     *From:*users-bounces+andy.paton=hp.com at lists.strongswan.org <mailto:hp.com at lists.strongswan.org> [mailto:users-bounces+andy.paton <mailto:users-bounces%2Bandy.paton>=hp.com at lists.strongswan.org <mailto:hp.com at lists.strongswan.org>] *On Behalf Of *Kevin Palmer
>     *Sent:* 30 August 2013 10:32
>     *To:* users at lists.strongswan.org <mailto:users at lists.strongswan.org>
>     *Subject:* [strongSwan] Strongswan as a VPN Hub with a single network adapter
>
>     
>
>     Hi,
>
>     
>
>     I have just been using Strongswan for the first time and firstly I’d like to say how impressed I was in how easy it was to setup the VPN tunnels. I got my two tunnels working within about 20 minutes of installing Strongswan.
>
>     
>
>     I have got a hub and two spokes and once the two tunnels were established I can successfully communicate between the spokes and the hub.
>
>     
>
>     The problem I’ve got however is that each ‘Spoke’ of the VPN cannot contact other spokes in the VPN.
>
>     
>
>     My first thought that this was that IPv4 Forwarding needs to be enabled however enabling IPv4 Forwarding did not solve the problem.
>
>     
>
>     I’ve also tried adding each spoke subnet as ‘Left’ subnets in the other connections in ipsec.conf but Strongswan reports “no local address found in traffic selector 10.6.0.0/24 <http://10.6.0.0/24>” as that subnet is not allocated to my adapter.
>
>     
>
>     The other points to note is that my machine has only one network adapter which is connected to the internet so to get a local subnet I added a second IP address to the adapter (eth0:0)
>
>     
>
>     Does anyone have any suggestions on what I should try text?
>
>     
>
>     Configuration below…
>
>     
>
>     Thanks,
>
>     
>
>     Kevin
>
>     
>
>     *Interfaces*
>
>     /auto eth0/
>
>     /iface eth0 inet static/
>
>     /    address xxx.xxx.xxx.xxx/
>
>     /    gateway zzz.zzz.zzz.zzz/
>
>     /    netmask 255.255.252.0/
>
>     / /
>
>     /auto lo/
>
>     /iface lo inet loopback/
>
>     / /
>
>     /auto eth0:0/
>
>     /iface eth0:0 inet static/
>
>     /    address 172.16.0.1/
>
>     /    netmask 255.255.0.0/
>
>     
>
>     *ipsec.conf*
>
>     
>
>     /# ipsec.conf - strongSwan IPsec configuration file/
>
>     / /
>
>     /# basic configuration/
>
>     / /
>
>     /config setup/
>
>     /        # plutodebug=all/
>
>     /        # crlcheckinterval=600/
>
>     /        # strictcrlpolicy=yes/
>
>     /        # cachecrls=yes/
>
>     /        nat_traversal=yes/
>
>     /        charonstart=yes/
>
>     /        plutostart=yes/
>
>     / /
>
>     /# Add connections here./
>
>     / /
>
>     /conn %default/
>
>     /     ikelifetime=60m/
>
>     /     keylife=20m/
>
>     /     rekeymargin=3m/
>
>     /     keyingtries=1/
>
>     /     keyexchange=ikev2/
>
>     /     authby=secret/
>
>     /     mobike=yes/
>
>     / /
>
>     /# CSVNETKP Connection/
>
>     / /
>
>     /conn csvnetkp/
>
>     /      left=%any/
>
>     /      leftsubnet=172.16.0.0/24,10.6.0.0/24 <http://172.16.0.0/24,10.6.0.0/24>/
>
>     /      leftid=@csvpn.local <mailto:leftid=@csvpn.local>/
>
>     /      right=aaa.aaa.aaa.aaa/
>
>     /      rightsubnet=10.4.0.0/16 <http://10.4.0.0/16>/
>
>     /      auto=route/
>
>     /      esp=aes256/
>
>     / /
>
>     / /
>
>     /conn csvnetmsdn2/
>
>     /     left=%any/
>
>     /     leftsubnet=172.16.0.0/24,10.4.0.0/16 <http://172.16.0.0/24,10.4.0.0/16>/
>
>     /     leftid=@csvpn.cirrasoft.local <mailto:leftid=@csvpn.cirrasoft.local>/
>
>     /     right=bbb.bbb.bbb.bbb/
>
>     /     rightsubnet=10.6.0.0/16 <http://10.6.0.0/16>/
>
>     /     auto=route/
>
>     /     esp=aes256/
>
>     / /
>
>     
>
>     
>
>     Where
>
>     xxx.xxx.xxx.xxx is my Public facing address
>
>     zzz.zzz.zzz.zzz is my ISP gateway
>
>     aaa.aaa.aaa.aaa is the Gateway of ‘spoke’ Subnet 10.4.0.0/16 <http://10.4.0.0/16>
>
>     bbb.bbb.bbb.bbb is the Gateway of ‘spoke’ Subnet 10.6.0.0/16 <http://10.6.0.0/16>
>
>     
>
>     And I have my PSK’s in the secrets file mapped to the two gateways.
>
>     
>
>     If anyone can help this would be much appreciated..
>
>     
>
>     I'm sure I am almost there but... not quite!
>
>     
>
>     Many Thanks,
>
>     
>
>     Kevin
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSIHpdAAoJEDg5KY9j7GZYmIwP/jDjxgfUQLC7rzqsXwBuBg2Y
NNxGl4KQovc5QtYKOhl/mEo1jkYphllMJ+Dz7JotK24c06dXY5LIcx9aCWic/PoC
JcOz1W5Nek+kXdhu5UhS3O3NctBNnykU5gu2VcvnGZr+ZVZsOnkxi0VbMwvO2tz1
oU08hN0Gvk++w3h+/KxUFJhViruOE72BxfJJosnshO00V7aycuvCKkko8BAPGjGK
fA75xc84a3bmdAK6C7N+YMArNvTTcO4nNRzAu8V1lxof65VE+6FYxLK/BnUCA2N9
u16kpjec3UszL6qQnUcdLb4gyFrFxBXQS5suxq73sRUPVxx4AxIX6BEtDPyCfzWx
Lm9MgK8gvHAv1PqzdwpESxQc6WYgyzFc/XXSY4WlnYjMe39mb3RkiARfFrKys7wX
a2KWxiM7E8eWkI2hSbT72Jrfiou35TjwlKxfqTRIqVcbkRtj+2dJ5O39NJr7m0iq
eU7kzLgKG4QU+WFIfBhxMZf8+LMzn6i+uxCPTZDkX+ZEnrhW6LSkBEut+uN7uRaw
90E7QzjAtegMmHoDXwpDC4Z0OBdxQFUt9gDw2Eg3ifcg67HqBYzy2t1I7IG2MfQ6
UYh2oulFzYykw7YuqTcyW7IPK9o1YRzpk8uUzLgt/frH9RpO2NH37ehfhbbmF2Oo
abay+2MZYzmclRq95KOP
=SOKu
-----END PGP SIGNATURE-----

More information about the Users mailing list