[strongSwan] The PLAN --- Can we get this done with strongSwan ?

Noel Kuntze noel at familie-kuntze.de
Tue Nov 25 19:09:00 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Matthew,

This can be done, however you need to take into account, that you might have to add routes to your managed
networks if the strongSwan server in your LAN isn't the default router.
See [1] for all the needed information.
As Tobias wrote, you will do very well with having different networks on the different locations or you'd
have to fiddle around with the NETMAP target in iptables to map conflicting networks onto other subnets.

To realize this, you could use a distinct IP range for your moon boxes and assign them an IP from a static
pool in strongSwan using virtual IPs. The local traffic selector on SUN would be your LAN and the remote traffic
selector would be 0.0.0.0/0. On the moon boxes, the local traffic selector would be the LAN and %dynamic, if
that configuration is allowed. In you own LAN, the distinct IP range for the moon boxes would be routed over SUN
and authentication would be done with certificates and a trusted CA.
This description of a configuration is based on [2] and [3].

[1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
[2] http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/
[3] http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 25.11.2014 um 11:46 schrieb Matthew Ferry [PITSDC]:
> Folks,
>
> Good Morning.   I posted a message/Issue in the Bug Tracker system the other day.
> I am looking for some help getting started.
>
> I have a project that I think strongSwan will be perfect for.
> I have looked at examples, but am overwhelmed with options and possibilities.
>
> Here is a URL to the posting I made:
> https://wiki.strongswan.org/issues/773
>
> IN REPLY to Tobias Brunner's comment ---
> Each location can have its own subnet.    I would like to management this IP plan from one central location.
> The number of needed IPs will change based on the location.
>
> Thanks for any input.
> I am looking forward to moving forward quickly.
>
> Thanks
> Matt
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUdMW8AAoJEDg5KY9j7GZYzw4P/RSV8XYL/9nWoXTxjwX7UvyY
3V7kg3KS08+8dudVMQgnWYHJjhGwsjCRnKzZ2ze6PWCp5yuBnZAipkLdQzT7jKxV
ovczRy20rwn4Zoqi8VqkFbzG+k2tAulHT8jiUgfz4EPxMTwjErVBrFiRvkeFVCM2
W6AIDEudgvfxdhAwQOazjkmMNfQ+/Mg4t1nrbxMXmHUrRcIs+rMZzJP9vFMCnQnc
ybrLp68doydNUbl1ArqjLmR4WqGNrJhXWaGiHAt5yhzVpFlQD9QRO/xkdPXV/Zz5
zzWkCyKGqYqpmHBH7MexYIE8xZJhax8G2aqWrDOgpIsA31l9OWTr6lpqow6V1iwv
qJcdi3MbF+8cgx45W+4t2bYD1Gf0TeqYOWccxKBgnqhEgajWpodAH37WTH2kuPaQ
m8to3jFYb+mE5gDD7978KvG00sgS5VxF02MnckOwc7M1yVEEgLmbQJeL740nDcsO
dfBtlKIJNpeKqT+tZ80/ef6GZ5fiX57XK4TytBNLjHe+yBkSh4TDi2PqBMGUh85s
bmisUmi2bKhsO2Li8iWRW6NfQ+vwD29mqu7PjxfZeXAe1ho7PolC2LBPHJ3iT/Ly
lEOIdejDrjmjsYLx1FRnnSZM988L1I46DK3BpYmp9e8lJ5akV9czRjFAH5Ntsdeg
GddJ9EYlqXcd1Sa2Hov9
=bLBd
-----END PGP SIGNATURE-----




More information about the Users mailing list