[strongSwan] The PLAN --- Can we get this done with strongSwan ?
Noel Kuntze
noel at familie-kuntze.de
Sat Nov 29 16:14:47 CET 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Matthew,
How does it fail? What is the output when you try to "up" the connection?
If you want live assistance, I can offer you assistance over skype/teamviewer/ssh.
Mit freundlichen Grüßen/Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 29.11.2014 um 15:29 schrieb Matthew Ferry:
> Folks,
>
> I am lost. Not making headway with examples I have found.
> The Security Associations will have 1 connecting from time to time.
>
> Does anyone see anything wrong with the ipsec.confs files?
> Does anyone who works with StrongSwan is close to Pittsburgh, PA USA?
>
> Thanks for your review.
> _*
> *__*My SUN is setup with
>
> *_
>
> config setup
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> authby=secret
> keyexchange=ikev2
> mobike=no
>
> conn net-net
> left=domain.org
> leftsubnet=192.168.200.0/24
> leftid=@NOC
> leftfirewall=yes
> right=%any
> rightsubnet=10.0.0.0/24
> rightid=@Site1
> auto=add
>
> _*
>
> The Moon Side with
>
> *_
>
> config setup
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> authby=secret
> keyexchange=ikev2
> mobike=no
>
> conn net-net
> left=%any
> leftsubnet=10.0.0.0/24
> leftid=@Site1
> leftfirewall=yes
> right=domain.org
> rightsubnet=192.168.200.0/24
> rightid=@NOC
> auto=add
>
> _*FROM SUN
> *_
>
> [root at vpn strongswan]# strongswan statusall
>
> Status of IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-504.1.3.el6.x86_64, x86_64):
> uptime: 7 minutes, since Nov 29 09:14:18 2014
> malloc: sbrk 376832, mmap 0, used 356032, free 20800
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
> loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
> Listening IP addresses:
> 192.168.200.214
> Connections:
> net-net: domain.org...%any IKEv2
> net-net: local: [NOC] uses pre-shared key authentication
> net-net: remote: [Site1] uses pre-shared key authentication
> net-net: child: 192.168.200.0/24 === 10.0.0.0/24 TUNNEL
> Security Associations (0 up, 0 connecting):
> none
>
> _*
> *_
>
> _*FROM MOOM
>
> *_[root at localhost strongswan]# strongswan statusall
>
> Status of IKE charon daemon (strongSwan 5.2.0, Linux 3.10.0-123.9.3.el7.x86_64, x86_64):
> uptime: 6 seconds, since Nov 29 09:25:43 2014
> malloc: sbrk 1757184, mmap 0, used 385312, free 1371872
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
> loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam dhcp
> Listening IP addresses:
> 192.168.201.164
> Connections:
> net-net: %any...domain.org IKEv2
> net-net: local: [Site1] uses pre-shared key authentication
> net-net: remote: [NOC] uses pre-shared key authentication
> net-net: child: 10.0.0.0/24 === 192.168.200.0/24 TUNNEL
> Security Associations (0 up, 0 connecting):
> none
> _*
> *__*
>
>
> *_
> On 11/25/2014 1:09 PM, Noel Kuntze wrote:
> Hello Matthew,
>
> This can be done, however you need to take into account, that you might have to add routes to your managed
> networks if the strongSwan server in your LAN isn't the default router.
> See [1] for all the needed information.
> As Tobias wrote, you will do very well with having different networks on the different locations or you'd
> have to fiddle around with the NETMAP target in iptables to map conflicting networks onto other subnets.
>
> To realize this, you could use a distinct IP range for your moon boxes and assign them an IP from a static
> pool in strongSwan using virtual IPs. The local traffic selector on SUN would be your LAN and the remote traffic
> selector would be 0.0.0.0/0. On the moon boxes, the local traffic selector would be the LAN and %dynamic, if
> that configuration is allowed. In you own LAN, the distinct IP range for the moon boxes would be routed over SUN
> and authentication would be done with certificates and a trusted CA.
> This description of a configuration is based on [2] and [3].
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
> [2] http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/
> [3] http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 25.11.2014 um 11:46 schrieb Matthew Ferry [PITSDC]:
> >>> Folks,
> >>>
> >>> Good Morning. I posted a message/Issue in the Bug Tracker system the other day.
> >>> I am looking for some help getting started.
> >>>
> >>> I have a project that I think strongSwan will be perfect for.
> >>> I have looked at examples, but am overwhelmed with options and possibilities.
> >>>
> >>> Here is a URL to the posting I made:
> >>> https://wiki.strongswan.org/issues/773
> >>>
> >>> IN REPLY to Tobias Brunner's comment ---
> >>> Each location can have its own subnet. I would like to management this IP plan from one central location.
> >>> The number of needed IPs will change based on the location.
> >>>
> >>> Thanks for any input.
> >>> I am looking forward to moving forward quickly.
> >>>
> >>> Thanks
> >>> Matt
> >>>
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.strongswan.org
> >>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
> --
> - Thanks and Regards,
>
> Matthew R. Ferry
> General Manager
>
>
>
> One Oxford Centre
> 301 Grant Street, Suite 4300
> Pittsburgh, Pennsylvania 15219
> United States
>
> Toll Free: 855-4-PITSDC
> Local Fax: 412-368-9021
>
> Departments: Development <http://development.pitsdc.com> | IT Services <http://itservices.pitsdc.com> | Hosting <http://hosting.pitsdc.com>
>
> Follow Us: Twitter @PITSDC <www.twitter.com/pitsdc> | Facebook /PITSDC <www.facebook.com/pitsdc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJUeeLlAAoJEDg5KY9j7GZY1tYP/jIkroFi5CbKk3/uom31XoXa
AafFTFvUFaoyoD4g6mAVhh31isGmH+ZNSX0pK3DfMKwPELx96vc0St4XfFl1cl4U
OT9BgHTa8FmErw9sWNXAyN+oeiBzsaNI5uvbcoucTcQnKuOeLFypDzYUvXRYKAaW
GqaISVQrtWF2p77q/A1d8Opg1c3TpSkyuxX6JfguKRxnYu5gL7pxebcFGxKqootX
z+JirkEgNcoBbk4xX1mLPaj7ReEs4pa7PPsRBnZvpl0/hAH2jZvlpZKnfihfRWPk
6JJuwYHIeShcuYydFiS7AdaIjLcnoUL2c01s2vgqSvKH8dqjCh0ZMKfzH+7fjKKk
TWwjmNMFCVr1xp7n9dr0CO+GCUar5Fa486377PAL22c7F6jYRcsHBXgsCE7bd/pz
RNTk0OMTrwlkiReqFGjr4UU+2YbLiwAqF15YU+c/glpMl3tbqEmAgb11pOnSyyDc
dIpqQuM6VBExNWBd4DVkO0t3BF8wUc3UkzcJfm5iTXT4UuUXksz9KNZCtNMHy7s8
vlP8T2wuy4geN5NW+pq3RjSBb/2eyuSVzXNV4fWBjPvtu2QWbue/hoGYMV7Z9SI+
3hCZcoiR0WVTW+FtnQ6HQ9jKzkzSgrF66sNYINz4wTcSO9anUq1XLVgnHgEoOgyF
2Dq+d+T+hk0THXr9g/4l
=1hts
-----END PGP SIGNATURE-----
More information about the Users
mailing list