[strongSwan] Instructions on getting 2 virtual boxes connected with strongswan

Noel Kuntze noel at familie-kuntze.de
Thu May 1 20:59:45 CEST 2014

Hash: SHA256

The Networkmanager plugin has a couple of restrictions and can only be used as a client. If you want to connect two VMs together, at least one has to run strongSwan all the time and be able to react to the other VM's packets.
You can't use NetworkManager on both. I advise to simply use strongSwan itself on both hosts and set it up correctly.

Am 01.05.2014 20:56, schrieb Brian Watson:
> So is this the information that I should follow from the wiki:
> Is it best to use the NetworkManager plugin?
>     Configuration Files
> The configuration files used by strongSwan are as follows:
>   * ipsec.conf <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf>: provides the configuration of IPsec connections
>   * ipsec.secrets <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets>: lists the secrets (pre-shared keys, private keys)
>   * ipsec.d <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecDirectory>: stores certificates and private keys
>   * strongswan.conf <http://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf>: allows one to configure global settings
> Other Configuration Sources
> The configuration may also be loaded from an SQL database <http://wiki.strongswan.org/projects/strongswan/wiki/SQL> or provided by custom plugins like the one used with
> the NetworkManager plugin <http://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager>.
> Invocation and Maintenance
> strongSwan is usually controlled with the ipsec command <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand>. |ipsec start| will start the starter daemon <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecStarter> which in turn
> starts and configures the keying daemon charon <http://wiki.strongswan.org/projects/strongswan/wiki/Charon>.
> Connections defined as conn sections in ipsec.conf <http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection> can be started on three different occasions:
>   * *On startup*: Connections configured with /auto=start/ will automatically be established when the daemon is started.
>   * *On traffic*: If /auto=route/ is used, IPsec policies for the configured traffic (/left|rightsubnet/) will be installed and traffic
>     matching these policies will trigger events that cause the daemon to establish the connection.
>   * *Manually*: A connection that uses /auto=add/ has to be established manually with |ipsec up <name>|. It is also
>     possible to use |ipsec route <name>| to install policies manually for such connections.
> After an SA has been established |ipsec down| may be used to tear down the IKE_SA or individual CHILD_SAs.
> Whenever the ipsec.conf <http://wiki.strongswan.org/projects/strongswan/wiki/Ipsecconf> file is changed it may be reloaded with |ipsec update| or |ipsec reload|. Already established
> connections are not affected by these commands, if that is required |ipsec restart| must be used.
> If ipsec.secrets <http://wiki.strongswan.org/projects/strongswan/wiki/Ipsecsecrets> or the files in ipsec.d <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecDirectory> have been changed the ipsec reread... <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand#Reread-Commands> commands may be used to reload these files.
> End-entity certificates placed in ipsec.d/certs <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecDirectoryCerts> are not reloaded automatically, instead they are loaded whenever referenced
> with /left|rightcert/ in a conn section <http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection>. Using the ipsec purge... <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand#Purge-Commands> commands may be required in order for the new files to be used.
> Using the ipsec list... <http://wiki.strongswan.org/projects/strongswan/wiki/Ipseccommand#List-Commands> commands will provide information about loaded or cached certificates, supported algorithms and
> loaded plugins.
> On Thu, May 1, 2014 at 11:34 AM, Brian Watson <brianwatson999999 at gmail.com <mailto:brianwatson999999 at gmail.com>> wrote:
>     Hi,
>       I'm new to StrongSwan and am looking for some good instructions on setting up a VPN between 2 virtual machines running on the same laptop. The wiki pages seem to lay out a lot of different scenarios, but nothing to walk you through the steps necessary to start from scratch. I've downloaded the sw into my Ubuntu machine, but can't find the instructions as to what app to start and what to do next.
>       Any ideas?
>     Thanks,
>        Brian
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Users mailing list