[strongSwan] roadwarrior as gateway, possible?

Noel Kuntze noel at familie-kuntze.de
Wed Dec 24 13:53:00 CET 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Oh, and furthermore,
1) you also need to except IPsec traffic from NAT on your client.
2) You need to clean up your MASQUERADE rules on your server.
    A correct iptables rule set for you looks like this:
    iptables -t nat -A POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
    iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 24.12.2014 um 12:09 schrieb Zesen Qian:
> Noel Kuntze <noel at familie-kuntze.de> writes:
>
>> Hello Zesen,
>>
>> You do not need a virtual IP. Route 10.0.0.0/0 == 0.0.0.0/0 throught the tunnel
>> and use a passthrough policy of 10.0.0.0/0 == 10.0.0.0/0 to allow local traffic.
>> Make the hosts in the LAN use your old notebook as gateway for the default route
>> and it will work. I did that here at my place and it works just fine.
>> See [1] for some explanation on getting routing to work.
>>
>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>>
>> Mit freundlichen Grüßen/Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 23.12.2014 um 02:47 schrieb Zesen Qian:
>>> Hi all,
>>> I 'm configuring a special roadwarrior and I'm quite new to IPsec world,
>>> so plz correct me if I'm wrong. :-)
>>> I want to config it in such way:
>>>
>>> 0. Riaqn-Laptop is my old laptop acting as gateway in my home, the lan
>>> is 10.0.0.0/24, and the external IP is dynamically allocated.
>>> Riaqn-VPS is VPS, which has a static IP(that Riaqn-Laptop can
>>> connect to).
>>>
>>> 1. Laptop as initiator, VPS as responder. Once the connection is
>>> established, Laptop give the VPS a virtual IP in 10.0.0.0/24 (just as
>>> the local lan machines). Does dhcp and farp plugin do the trick?
>>>
>>> 2. Then all outgoing traffic in the lan goes through IPsec, that is, if
>>> a normal computer in the lan connecting a outside server, the server
>>> should see the VPS's IP.
>>>
>>> Is it possible by strongswan? I 've seen lots of config examples on
>>> strongswan website, but none of which is like what I said. I have
>>> strugled for more than a week... BTW, is there any good article that
>>> explains about traffic selector/routing in IPsec(for a beginner)?
>>> Any comments is appreciated!
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> Hi Noel,
>    Thanks for your reply!
>    I checked the URL and tried to understand it. Then I configure in
>    such a way:
>    1. server and client ipsec.conf is here[1]:
>    2. I do some iptables stuff on the server side, just as the URL says:
>       iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o venet0 -j MASQUERADE
>       iptables -t nat  -A POSTROUTING -s 10.0.0.0/24 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
>    3. Then I up the client. Once the connection is established, the
>    client 's connection to everything(to Internet, to LAN) seems cut-up.
>    Outer world cannot ping the client(gateway), and LAN machines
>    cannot connect to it, either.
>    4. However, I can connect the client from the server. I typed
>    ssh 10.0.0.1 to check what happens. So this is what it looks like on
>    client [2]
>    5. And this is what it looks like on server [3]
>
>    Would you help me check these infos please? BTW, do you know any
>    articles explaining traffic selector/routing/stuff? I 'm really
>    confused how IPsec is integrated into my network..
>
> [1] https://bpaste.net/show/45dcd2c1100d
> [2] https://bpaste.net/show/e2add2951990
> [3] https://bpaste.net/show/96a7300a7e73

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUmrcrAAoJEDg5KY9j7GZYgaUP/itvxAyQI7Wrdi5BWaZ8fJGz
/87sBgjf2lLV5K2zfmqWC4HHv+ZzydLOEFNhCLXKOUjw3LaEoWahX18kS1YIltcC
jgby4xjQayzdDTIVATezJqUiL/1RFGV23w992Gut3rensxIsFvcyPlJps5NVNorM
j6ushj4RhwJ8tI7rfNdQhy/Jf2ql/CVnr1+FtwN4QaaSJbkhulSHvxXzUQRl7cRF
9Cdfz9rx+ysJJHArQC3f2eUTS7s19KRKozYjjQGr/w/1n9Oj1glX3e1nl5YnJoJl
7WdBpnlxR0vqoIJrdi34qENYQQtahhliXpiG4+Ygr66/TH5sWIsAyJWaCQph6KDE
69XLu192Kiiq3cXHQNudwGI/xchVN/DpeeFarS6TMa5yvrp4qSCGh5+x3sQsbhYU
5eefPbBv86wBKrVPidaOWXKJgxJOSlTZT6k3YCZRi2mY/4NBIEl9UHPajEMEBsTo
C/H4vu9/c7Zo3SMp3MJ0iRXDFsGIKNcfcDVw1icRU2lG3w057csIazNJtumaS4fq
LRp/nADLo3Hk3jToEnWZxKfF8ImudoOwPAcxngqWJns8PDf9/ZAjN93Xg3Wocu53
X4fVJq3IKbasp9YlqPgmjwuv+t3/aXGPnS2rb4vDoW/XCtvmN7KKL5lF0kLwAtAk
IZ1VYATgc6UbLQqzt+ur
=T0mi
-----END PGP SIGNATURE-----

More information about the Users mailing list