[strongSwan] Strongswan as a VPN Hub with a single network adapter

Kevin Palmer kev at thepub.com
Fri Aug 30 14:26:42 CEST 2013


I have now managed to get it working (was just a silly mistake on the left
subnet for csvnetkp (I used a /24 instead of a /16).

I can now get successful pings between nodes which is awesome!

However, it all looked great until I tried to actually communicate between
spokes.. I seem to be able to do pings and make connections to ports but
when I try to put some traffic across the VPN I get problems. i.e. I can
successfully telnet to ports but actually doing any meaningful
communication seems to fail.

My two spokes are Windows machines and I've tried creating an RDP
connection between them which accepts the connection, asks for credentials,
starts connecting and then hangs for a while. Finally it fails. It seems
like the initial connection can be made but very soon after the connection
hangs.

Doing DNS lookups between spokes on the VPN however works fine (I think
because they are brief)

I can connect to an FTP server and do a directory listing but as soon as I
try and transfer a file it hangs and then fails.

Any ideas what can cause this connection hanging?

Many Thanks,

Kevin




On Fri, Aug 30, 2013 at 11:56 AM, Noel Kuntze <noel at familie-kuntze.de>wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello,
>
> I don't think using rightsubnet is correct in this case, as it only
> applies to networks that are physically attached to the remote host.
> You can however, customize the _updown script to set routes to the remote
> subnets that go through the VPN responder.
> The _updown script is in /lib/strongswan/. You should create a copy of it
> and adjust up-host, down-host, up-client and/or down-client.
> Read the comments on the cases in the switch case of the script to
> determine what needs to be adjusted.
> I don't know if it will work, as I don't know if strongSwan will reject
> the traffic to subnets that are not physically attached to it.
>
> Regards,
> Noel Kuntze
>
> On 30.08.2013 12:21, Kevin Palmer wrote:
> > Hi Andy,
> >
> > The routing on the 10.4.0.0 spoke is configured that any communication
> to the following subnets
> > 10.30.0.0/16,10.7.0.0/16,10.6.0.0/16,10.3.0.0/16,172.16.0.0/16 <
> http://10.30.0.0/16,10.7.0.0/16,10.6.0.0/16,10.3.0.0/16,172.16.0.0/16>
> will be routed to the Strongswan VPN gateway public IP (I've yet to setup
> the tunnels for 10.30.0.0, 10.7.0.0 and 10.3.0.0)
> >
> > When I try to connect to an address in the 10.6.0.0/16 <
> http://10.6.0.0/16> subnet it should be routed through to the hub and
> then back out to the other spoke but currently it fails.
> > Connections to 172.16.0.1 are made successfully.
> >
> > The routing on the 10.6.0.0 spoke is configured that any communication
> to the following subnets
> > 10.30.0.0/16,10.4.0.0/16,10.7.0.0/16,10.3.0.0/16,172.16.0.0/16 <
> http://10.30.0.0/16,10.4.0.0/16,10.7.0.0/16,10.3.0.0/16,172.16.0.0/16>
> will be routed to the Strongswan VPN gateway public IP (I've yet to setup
> the tunnels for 10.30.0.0, 10.7.0.0 and 10.3.0.0)
> >
> > When I try to connect to an address in the 10.4.0.0/16 <
> http://10.4.0.0/16> subnet it should be routed through to the hub and
> then back out to the other spoke but currently it fails.
> > Connections to 172.16.0.1 are made successfully.
> >
> > Many Thanks,
> >
> > Kevin
> >
> >
> > On Fri, Aug 30, 2013 at 10:59 AM, Paton, Andy <andy.paton at hp.com<mailto:
> andy.paton at hp.com>> wrote:
> >
> >     What is your routing setup on the spokes?
> >
> >
> >
> >     Regards,
> >
> >
> >
> >     *Andy Paton - *Bsc. (Hons), MBCS*
> >     *Innovation Engineer
> >
> >     andy.paton at hp.com <mailto:andy.paton at hp.com>
> >
> >
> >     HP <http://www.hp.com/>
> >
> >
> >
> >     *From:*users-bounces+andy.paton=hp.com at lists.strongswan.org <mailto:
> hp.com at lists.strongswan.org> [mailto:users-bounces+andy.paton <mailto:
> users-bounces%2Bandy.paton>=hp.com at lists.strongswan.org <mailto:
> hp.com at lists.strongswan.org>] *On Behalf Of *Kevin Palmer
> >     *Sent:* 30 August 2013 10:32
> >     *To:* users at lists.strongswan.org <mailto:users at lists.strongswan.org>
> >     *Subject:* [strongSwan] Strongswan as a VPN Hub with a single
> network adapter
> >
> >
> >
> >     Hi,
> >
> >
> >
> >     I have just been using Strongswan for the first time and firstly I’d
> like to say how impressed I was in how easy it was to setup the VPN
> tunnels. I got my two tunnels working within about 20 minutes of installing
> Strongswan.
> >
> >
> >
> >     I have got a hub and two spokes and once the two tunnels were
> established I can successfully communicate between the spokes and the hub.
> >
> >
> >
> >     The problem I’ve got however is that each ‘Spoke’ of the VPN cannot
> contact other spokes in the VPN.
> >
> >
> >
> >     My first thought that this was that IPv4 Forwarding needs to be
> enabled however enabling IPv4 Forwarding did not solve the problem.
> >
> >
> >
> >     I’ve also tried adding each spoke subnet as ‘Left’ subnets in the
> other connections in ipsec.conf but Strongswan reports “no local address
> found in traffic selector 10.6.0.0/24 <http://10.6.0.0/24>” as that
> subnet is not allocated to my adapter.
> >
> >
> >
> >     The other points to note is that my machine has only one network
> adapter which is connected to the internet so to get a local subnet I added
> a second IP address to the adapter (eth0:0)
> >
> >
> >
> >     Does anyone have any suggestions on what I should try text?
> >
> >
> >
> >     Configuration below…
> >
> >
> >
> >     Thanks,
> >
> >
> >
> >     Kevin
> >
> >
> >
> >     *Interfaces*
> >
> >     /auto eth0/
> >
> >     /iface eth0 inet static/
> >
> >     /    address xxx.xxx.xxx.xxx/
> >
> >     /    gateway zzz.zzz.zzz.zzz/
> >
> >     /    netmask 255.255.252.0/
> >
> >     / /
> >
> >     /auto lo/
> >
> >     /iface lo inet loopback/
> >
> >     / /
> >
> >     /auto eth0:0/
> >
> >     /iface eth0:0 inet static/
> >
> >     /    address 172.16.0.1/
> >
> >     /    netmask 255.255.0.0/
> >
> >
> >
> >     *ipsec.conf*
> >
> >
> >
> >     /# ipsec.conf - strongSwan IPsec configuration file/
> >
> >     / /
> >
> >     /# basic configuration/
> >
> >     / /
> >
> >     /config setup/
> >
> >     /        # plutodebug=all/
> >
> >     /        # crlcheckinterval=600/
> >
> >     /        # strictcrlpolicy=yes/
> >
> >     /        # cachecrls=yes/
> >
> >     /        nat_traversal=yes/
> >
> >     /        charonstart=yes/
> >
> >     /        plutostart=yes/
> >
> >     / /
> >
> >     /# Add connections here./
> >
> >     / /
> >
> >     /conn %default/
> >
> >     /     ikelifetime=60m/
> >
> >     /     keylife=20m/
> >
> >     /     rekeymargin=3m/
> >
> >     /     keyingtries=1/
> >
> >     /     keyexchange=ikev2/
> >
> >     /     authby=secret/
> >
> >     /     mobike=yes/
> >
> >     / /
> >
> >     /# CSVNETKP Connection/
> >
> >     / /
> >
> >     /conn csvnetkp/
> >
> >     /      left=%any/
> >
> >     /      leftsubnet=172.16.0.0/24,10.6.0.0/24 <
> http://172.16.0.0/24,10.6.0.0/24>/
> >
> >     /      leftid=@csvpn.local <mailto:leftid=@csvpn.local>/
> >
> >     /      right=aaa.aaa.aaa.aaa/
> >
> >     /      rightsubnet=10.4.0.0/16 <http://10.4.0.0/16>/
> >
> >     /      auto=route/
> >
> >     /      esp=aes256/
> >
> >     / /
> >
> >     / /
> >
> >     /conn csvnetmsdn2/
> >
> >     /     left=%any/
> >
> >     /     leftsubnet=172.16.0.0/24,10.4.0.0/16 <
> http://172.16.0.0/24,10.4.0.0/16>/
> >
> >     /     leftid=@csvpn.cirrasoft.local <mailto:leftid
> =@csvpn.cirrasoft.local>/
> >
> >     /     right=bbb.bbb.bbb.bbb/
> >
> >     /     rightsubnet=10.6.0.0/16 <http://10.6.0.0/16>/
> >
> >     /     auto=route/
> >
> >     /     esp=aes256/
> >
> >     / /
> >
> >
> >
> >
> >
> >     Where
> >
> >     xxx.xxx.xxx.xxx is my Public facing address
> >
> >     zzz.zzz.zzz.zzz is my ISP gateway
> >
> >     aaa.aaa.aaa.aaa is the Gateway of ‘spoke’ Subnet 10.4.0.0/16 <
> http://10.4.0.0/16>
> >
> >     bbb.bbb.bbb.bbb is the Gateway of ‘spoke’ Subnet 10.6.0.0/16 <
> http://10.6.0.0/16>
> >
> >
> >
> >     And I have my PSK’s in the secrets file mapped to the two gateways.
> >
> >
> >
> >     If anyone can help this would be much appreciated..
> >
> >
> >
> >     I'm sure I am almost there but... not quite!
> >
> >
> >
> >     Many Thanks,
> >
> >
> >
> >     Kevin
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.21 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSIHpdAAoJEDg5KY9j7GZYmIwP/jDjxgfUQLC7rzqsXwBuBg2Y
> NNxGl4KQovc5QtYKOhl/mEo1jkYphllMJ+Dz7JotK24c06dXY5LIcx9aCWic/PoC
> JcOz1W5Nek+kXdhu5UhS3O3NctBNnykU5gu2VcvnGZr+ZVZsOnkxi0VbMwvO2tz1
> oU08hN0Gvk++w3h+/KxUFJhViruOE72BxfJJosnshO00V7aycuvCKkko8BAPGjGK
> fA75xc84a3bmdAK6C7N+YMArNvTTcO4nNRzAu8V1lxof65VE+6FYxLK/BnUCA2N9
> u16kpjec3UszL6qQnUcdLb4gyFrFxBXQS5suxq73sRUPVxx4AxIX6BEtDPyCfzWx
> Lm9MgK8gvHAv1PqzdwpESxQc6WYgyzFc/XXSY4WlnYjMe39mb3RkiARfFrKys7wX
> a2KWxiM7E8eWkI2hSbT72Jrfiou35TjwlKxfqTRIqVcbkRtj+2dJ5O39NJr7m0iq
> eU7kzLgKG4QU+WFIfBhxMZf8+LMzn6i+uxCPTZDkX+ZEnrhW6LSkBEut+uN7uRaw
> 90E7QzjAtegMmHoDXwpDC4Z0OBdxQFUt9gDw2Eg3ifcg67HqBYzy2t1I7IG2MfQ6
> UYh2oulFzYykw7YuqTcyW7IPK9o1YRzpk8uUzLgt/frH9RpO2NH37ehfhbbmF2Oo
> abay+2MZYzmclRq95KOP
> =SOKu
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130830/d8ca710c/attachment.html>


More information about the Users mailing list