[strongSwan] Instructions on getting 2 virtual boxes connected with strongswan

Noel Kuntze noel at familie-kuntze.de
Thu May 1 20:59:45 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The Networkmanager plugin has a couple of restrictions and can only be used as a client. If you want to connect two VMs together, at least one has to run strongSwan all the time and be able to react to the other VM's packets.
You can't use NetworkManager on both. I advise to simply use strongSwan itself on both hosts and set it up correctly.

Am 01.05.2014 20:56, schrieb Brian Watson:
> So is this the information that I should follow from the wiki:
>
> Is it best to use the NetworkManager plugin?
>
>
>     Configuration Files
>
> The configuration files used by strongSwan are as follows:
>
>   * ipsec.conf <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf>: provides the configuration of IPsec connections
>   * ipsec.secrets <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecSecrets>: lists the secrets (pre-shared keys, private keys)
>   * ipsec.d <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecDirectory>: stores certificates and private keys
>   * strongswan.conf <http://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf>: allows one to configure global settings
>
> Other Configuration Sources
>
> The configuration may also be loaded from an SQL database <http://wiki.strongswan.org/projects/strongswan/wiki/SQL> or provided by custom plugins like the one used with
> the NetworkManager plugin <http://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager>.
>
> Invocation and Maintenance
>
> strongSwan is usually controlled with the ipsec command <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand>. |ipsec start| will start the starter daemon <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecStarter> which in turn
> starts and configures the keying daemon charon <http://wiki.strongswan.org/projects/strongswan/wiki/Charon>.
>
> Connections defined as conn sections in ipsec.conf <http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection> can be started on three different occasions:
>
>   * *On startup*: Connections configured with /auto=start/ will automatically be established when the daemon is started.
>   * *On traffic*: If /auto=route/ is used, IPsec policies for the configured traffic (/left|rightsubnet/) will be installed and traffic
>     matching these policies will trigger events that cause the daemon to establish the connection.
>   * *Manually*: A connection that uses /auto=add/ has to be established manually with |ipsec up <name>|. It is also
>     possible to use |ipsec route <name>| to install policies manually for such connections.
>
> After an SA has been established |ipsec down| may be used to tear down the IKE_SA or individual CHILD_SAs.
>
> Whenever the ipsec.conf <http://wiki.strongswan.org/projects/strongswan/wiki/Ipsecconf> file is changed it may be reloaded with |ipsec update| or |ipsec reload|. Already established
> connections are not affected by these commands, if that is required |ipsec restart| must be used.
>
> If ipsec.secrets <http://wiki.strongswan.org/projects/strongswan/wiki/Ipsecsecrets> or the files in ipsec.d <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecDirectory> have been changed the ipsec reread... <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand#Reread-Commands> commands may be used to reload these files.
> End-entity certificates placed in ipsec.d/certs <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecDirectoryCerts> are not reloaded automatically, instead they are loaded whenever referenced
> with /left|rightcert/ in a conn section <http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection>. Using the ipsec purge... <http://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand#Purge-Commands> commands may be required in order for the new files to be used.
>
> Using the ipsec list... <http://wiki.strongswan.org/projects/strongswan/wiki/Ipseccommand#List-Commands> commands will provide information about loaded or cached certificates, supported algorithms and
> loaded plugins.
>
>
>
>
> On Thu, May 1, 2014 at 11:34 AM, Brian Watson <brianwatson999999 at gmail.com <mailto:brianwatson999999 at gmail.com>> wrote:
>
>     Hi,
>       I'm new to StrongSwan and am looking for some good instructions on setting up a VPN between 2 virtual machines running on the same laptop. The wiki pages seem to lay out a lot of different scenarios, but nothing to walk you through the steps necessary to start from scratch. I've downloaded the sw into my Ubuntu machine, but can't find the instructions as to what app to start and what to do next.
>
>       Any ideas?
>
>     Thanks,
>        Brian
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTYpmgAAoJEDg5KY9j7GZY3UcP/ioErZc9heqvWVDmFXZYpDWC
w6CRX/EfXkmsssqXomJXvoedcUxVb46Hfo9DaprkeKBr2CdZN8zzmZMQAcBxWKis
tP2s+32KIbnQIL/PMOu173Pao5lLHJkKizkB1Ae7VoJZDqCaaUnJmVf7vHdDRAIA
FZENoxppkHXpttEltEqI9eVfCOzHxwj5xRht5CEBE7LWWQRlbQnUwhUq/RK76kVy
Icl6wdBCaQ35Yonr6LgBsJS0h94eLASCpRyNwln4H/IfeV3QIrTbgb702KsUSe3n
9ksFluzP4zmoaTQ951zVjceKT0RfqWLZeqLQjhuN2sQeB2eqLvANQ1R2xuAb0XvF
6bxYBlhHF9P/lJsjZ6UbC+JKixuLLe2DHdfVrQFKnwtX/aBbVtYYepBNaZGrjYz0
oShwAcG0H5UhFC6IxzTBv+yXHhs6O9pHVpywhQPfOu590vJum/7/hwjQ5fAZXIZI
cz+nt4QvtKad7zPNarwK7XgA/CgTwALVnhYP1aBmaskksHeTVjTEAr8QB9vhHDss
9dI7NH1Ibt8qZxw55Hc7T/0sFWQzwZ714lRlpNNHO5EXv3NHvILzvyCsU7J3ncZN
8BohYZSboOp5/EYIEmVTU1cYmji7H37sRLY8FpgLaZ/AC2aJEbkx7hJpq4W2RnSH
q5Ol1TzDd7HReHiAuz4v
=aPVU
-----END PGP SIGNATURE-----



More information about the Users mailing list