[strongSwan] roadwarrior as gateway, possible?

Noel Kuntze noel at familie-kuntze.de
Wed Dec 24 13:49:19 CET 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Zesen,

Please place the "ACCEPT" rule in front of the "MASQUERADE" rule.

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 24.12.2014 um 12:09 schrieb Zesen Qian:
> Noel Kuntze <noel at familie-kuntze.de> writes:
>
>> Hello Zesen,
>>
>> You do not need a virtual IP. Route 10.0.0.0/0 == 0.0.0.0/0 throught the tunnel
>> and use a passthrough policy of 10.0.0.0/0 == 10.0.0.0/0 to allow local traffic.
>> Make the hosts in the LAN use your old notebook as gateway for the default route
>> and it will work. I did that here at my place and it works just fine.
>> See [1] for some explanation on getting routing to work.
>>
>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 23.12.2014 um 02:47 schrieb Zesen Qian:
>>> Hi all,
>>> I 'm configuring a special roadwarrior and I'm quite new to IPsec world,
>>> so plz correct me if I'm wrong. :-)
>>> I want to config it in such way:
>>>
>>> 0. Riaqn-Laptop is my old laptop acting as gateway in my home, the lan
>>> is 10.0.0.0/24, and the external IP is dynamically allocated.
>>> Riaqn-VPS is VPS, which has a static IP(that Riaqn-Laptop can
>>> connect to).
>>>
>>> 1. Laptop as initiator, VPS as responder. Once the connection is
>>> established, Laptop give the VPS a virtual IP in 10.0.0.0/24 (just as
>>> the local lan machines). Does dhcp and farp plugin do the trick?
>>>
>>> 2. Then all outgoing traffic in the lan goes through IPsec, that is, if
>>> a normal computer in the lan connecting a outside server, the server
>>> should see the VPS's IP.
>>>
>>> Is it possible by strongswan? I 've seen lots of config examples on
>>> strongswan website, but none of which is like what I said. I have
>>> strugled for more than a week... BTW, is there any good article that
>>> explains about traffic selector/routing in IPsec(for a beginner)?
>>> Any comments is appreciated!
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> Hi Noel,
>    Thanks for your reply!
>    I checked the URL and tried to understand it. Then I configure in
>    such a way:
>    1. server and client ipsec.conf is here[1]:
>    2. I do some iptables stuff on the server side, just as the URL says:
>       iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet0 -j MASQUERADE
>       iptables -t nat  -A POSTROUTING -s 10.0.0.0/24 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
>    3. Then I up the client. Once the connection is established, the
>    client 's connection to everything(to Internet, to LAN) seems cut-up.
>    Outer world cannot ping the client(gateway), and LAN machines
>    cannot connect to it, either.
>    4. However, I can connect the client from the server. I typed
>    ssh 10.0.0.1 to check what happens. So this is what it looks like on
>    client [2]
>    5. And this is what it looks like on server [3]
>
>    Would you help me check these infos please? BTW, do you know any
>    articles explaining traffic selector/routing/stuff? I 'm really
>    confused how IPsec is integrated into my network..
>
> [1] https://bpaste.net/show/45dcd2c1100d
> [2] https://bpaste.net/show/e2add2951990
> [3] https://bpaste.net/show/96a7300a7e73

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUmrZMAAoJEDg5KY9j7GZYKHIP/jp45/LeLaJnP+qt9Zr+KT5r
mnAxNR7wMe16d8XVpFP91Z/jiEvb/IVq2GwgAoR+ZavkMpyCaeTCgGJu3YBFqJcQ
6srkyzCxfCi4nlICnrVWbM3ilwiN4FkFN/r09+dilVYmTwszKWBmxNRdkTYX7WiK
6Zd55p+SJ3NRtYbo9/jJnkBNoWG5DyEpBieJfZly4zdzA8hKZG2NVpAvwA2JSVks
5s06ZvBH+q/vIvyM3iVpgg9aaldTD/9+NWz0eb+JE4oya6AHsHe1lRjYIZhF7wh6
+v+l6tRl5S1JEqkQvQZuA+1hhoLwtgA24oXqGT13r2fRqWOx/JFSAixM5Yg9qHft
xe9JBcFCk+8D2h6a9BIranpHYAbJW4nt7Oa065qlwCFUkUW4E2qLU/J2rt0QR8ki
q+qEowY5YehBjdN8lJHaChWl4+ZJjcXaquhdBCHxfrVFNFZhuoFCaLp61wnbaKU1
3ffsZ2SKlabp3+ATQC5iMd++nVleMT4vDoN5PFUMTCzaMN30xa1oU/a585ug/Kuw
+FRa4SXOqGmi6dBDMD5TVQEMRYkjgYrLoGyV5BBEt1QExYaNQEkoOZix9KLugz48
sAqavPxI7lU3I94UA9W2XdXLy3+9CHchhEGW8mOtZ7Olf8SpUcwh0HYrn45f+Rs9
cJRPFcej89DpjQfeY/tl
=izlz
-----END PGP SIGNATURE-----

More information about the Users mailing list