[strongSwan] Is a chained client-server VPN possible?

Tim Soderstrom strongswan at moocowproductions.org
Mon Dec 29 19:31:00 CET 2014 

I did a but of obfuscation here and removed the additional user entries but it is otherwise complete:

###########################
version 2

conn %default
    ikelifetime=60m
    lifetime=12h
    leftfirewall=yes
    left=%any
    leftid="C=US, O=My VPN, CN=vpn.example.com"
    leftcert=vpn.example.com-host.crt.pem
    leftsubnet=172.21.0.0/16
    leftdns=172.21.0.2
    dpdaction=hold

conn Example-Site-To-Site-x509
    keyexchange=ikev2
    leftid=@vpn.example.io
    leftsubnet=172.21.0.0/16,172.22.99.0/24
    right=1.2.3.4
    rightid="vpn-dc2.example.io"
    rightsubnet=172.23.0.0/16
    auto=route

conn Example-Client-OSX
    keyexchange=ikev1
    aggressive=no
    ikelifetime=24h
    lifetime=24h
    inactivity=12h
    authby=xauthrsasig
    xauth=server
    leftauth=pubkey
    leftsubnet=172.21.0.0/16,172.23.0.0/16
    right=%any
    rightauth=pubkey
    rightauth2=xauth
    auto=add

conn example-Client-OSX-user1
    also=example-Client-OSX
    rightsourceip=172.22.99.100
    rightsubnet=172.22.99.100
    rightcert=user1.crt.pem

…

###########################

Here is also my base iptables configuration:

###########################
#!/bin/bash

## IPv4
iptables --flush
iptables --flush -t nat

# NAT Routing
iptables -t nat -A POSTROUTING -o eth2 ! -p esp -j SNAT --to-source 172.21.0.2

# Services Chain
iptables -X SERVICES
iptables -N SERVICES
iptables -A SERVICES -p ICMP -s 172.21.0.0/16 -j ACCEPT
iptables -A SERVICES -p ICMP -s 172.23.0.0/16 -j ACCEPT
iptables -A SERVICES -p TCP -s 1.2.3.4 --dport 22 -j ACCEPT
iptables -A SERVICES -p TCP -i eth2 --dport 22 -j ACCEPT
iptables -A SERVICES -p UDP --dport 500 -j ACCEPT
iptables -A SERVICES -p UDP --dport 4500 -j ACCEPT
iptables -A SERVICES -p esp -j ACCEPT
iptables -A SERVICES -p TCP -s 172.22.99.0/24 --dport 53 -j ACCEPT
iptables -A SERVICES -p UDP -s 172.22.99.0/24 --dport 53 -j ACCEPT
iptables -A SERVICES -p TCP -s localhost --dport 53 -j ACCEPT
iptables -A SERVICES -p UDP -s localhost --dport 53 -j ACCEPT

# Input Chain
iptables -P INPUT ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j SERVICES
iptables -P INPUT DROP

## IPv6
# NAT Routing
# Services Chain
ip6tables --flush

# Input Chain
ip6tables -P INPUT ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -P INPUT DROP

## Save Ruleset
iptables-save > /etc/iptables.rules
ip6tables-save > /etc/ip6tables.rules

###########################

The client I am using is the OS X built in IKEv1 (aka Cisco IPSec) client and is working well for the private segment (172.21.0.0/16). It’s getting to 172.23.0.0/16 that is the problem.

Thanks for the help!

Tim


> On Dec 29, 2014, at 12:12 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hello Tim,
> 
> Please show us your ipsec.conf and tell us what client you are using.
> We will then be able to help you without writing lots of unecessary text.
> 
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> Am 29.12.2014 um 17:02 schrieb Tim Soderstrom:
>> I have a VPN server which handles both a client/server and a site-to-site and have been trying to figure out how to get the client/server to see the network across the site to site. On the client connections, I include the remote IP range in ‘leftsubnet’ but I suspect their is either an ordering problem or maybe an iptables issue. StrongSWAN does add a forward from my client range to the remote range though, so I’m not sure what I’m missing. The site to site itself works like a champ so it’s just getting the client/server VPN to see it.
>> 
>> Is there any documentation on this, or any thoughts or suggestions?
>> 
>> Thanks!
>> 
>> Tim
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJUoZmTAAoJEDg5KY9j7GZYIc0P+QHBXrGm+mMbbYvjCAZDV6oj
> AhXcJ+H03xquFS8+EAvYiMIUX+AYgVIRdKiWr2Iy1NUJjzTY7Nk29dYkKaAfMkXB
> ozJNuzgF4mhv/S1bJw+Js4RmSscMlBjx5F+RPen+//VQnIS4qD8MCuKk1thnbJXU
> aeBGYGrMmkNGAaDcpQa0vt/3KvaKYfEUD3ww2+OaZ5mM/E+/b9L5ANF6MuezIfQ6
> kHokCCB9GggHoqVCgAQH0NMLVGTupMba16UOoIDW67ZAS6gGvIy7iUP7PLYOD4mZ
> /YlaC3ZRJU0HW5WwCnE38xSF03D8oA4YQXBlK+PdrdFaFl2tduf2IcSOAtFZ8AvX
> 7HjpHdkVLi9rEsm06FvTOSgGZgPqWRSUHKCbwuTv9dEf/4jI1KnJeyqSHW7s2pLo
> 3eQiWi5Lmzbgkte6EwjsMaNmo8hKc+XD+8ZAFR4MZVUD+6R5RzXmoOKBw6hrWP5W
> aRjibDfdYdPBPVkskEuNJGs+Ozr6XhDaiz98Re2kyGmlw7Wc5Ov+7s+VLgCTD+IV
> WyI7OVLIflEapEKw43/nNFCM6r1Cgklp4EHnJGDtLMtX7wQZIxSlaCAQ29+xn23F
> tcJou+p3KXaGqKvGGgrUFGaV+XLL8KcTW/ITbJ2dbDBFGKZxUF0OTWHaq0rgdsrZ
> P1SnIZmhOAC5xlH4KMRc
> =knK8
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list