[strongSwan] The PLAN --- Can we get this done with strongSwan ?
Matthew Ferry
matthew.ferry at pitsdc.com
Sat Nov 29 15:29:51 CET 2014
Folks,
I am lost. Not making headway with examples I have found.
The Security Associations will have 1 connecting from time to time.
Does anyone see anything wrong with the ipsec.confs files?
Does anyone who works with StrongSwan is close to Pittsburgh, PA USA?
Thanks for your review.
_*
*__*My SUN is setup with
*_
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn net-net
left=domain.org
leftsubnet=192.168.200.0/24
leftid=@NOC
leftfirewall=yes
right=%any
rightsubnet=10.0.0.0/24
rightid=@Site1
auto=add
_*
The Moon Side with
*_
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn net-net
left=%any
leftsubnet=10.0.0.0/24
leftid=@Site1
leftfirewall=yes
right=domain.org
rightsubnet=192.168.200.0/24
rightid=@NOC
auto=add
_*FROM SUN
*_
[root at vpn strongswan]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.2.0, Linux
2.6.32-504.1.3.el6.x86_64, x86_64):
uptime: 7 minutes, since Nov 29 09:14:18 2014
malloc: sbrk 376832, mmap 0, used 356032, free 20800
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
0/0/0/0, scheduled: 0
loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12
pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr
kernel-netlink resolve socket-default farp stroke vici updown
eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
Listening IP addresses:
192.168.200.214
Connections:
net-net: domain.org...%any IKEv2
net-net: local: [NOC] uses pre-shared key authentication
net-net: remote: [Site1] uses pre-shared key authentication
net-net: child: 192.168.200.0/24 === 10.0.0.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
none
_*
*_
_*FROM MOOM
*_[root at localhost strongswan]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.2.0, Linux
3.10.0-123.9.3.el7.x86_64, x86_64):
uptime: 6 seconds, since Nov 29 09:25:43 2014
malloc: sbrk 1757184, mmap 0, used 385312, free 1371872
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr
kernel-netlink resolve socket-default farp stroke vici updown
eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
xauth-generic xauth-eap xauth-pam dhcp
Listening IP addresses:
192.168.201.164
Connections:
net-net: %any...domain.org IKEv2
net-net: local: [Site1] uses pre-shared key authentication
net-net: remote: [NOC] uses pre-shared key authentication
net-net: child: 10.0.0.0/24 === 192.168.200.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
none
_*
*__*
*_
On 11/25/2014 1:09 PM, Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Matthew,
>
> This can be done, however you need to take into account, that you might have to add routes to your managed
> networks if the strongSwan server in your LAN isn't the default router.
> See [1] for all the needed information.
> As Tobias wrote, you will do very well with having different networks on the different locations or you'd
> have to fiddle around with the NETMAP target in iptables to map conflicting networks onto other subnets.
>
> To realize this, you could use a distinct IP range for your moon boxes and assign them an IP from a static
> pool in strongSwan using virtual IPs. The local traffic selector on SUN would be your LAN and the remote traffic
> selector would be 0.0.0.0/0. On the moon boxes, the local traffic selector would be the LAN and %dynamic, if
> that configuration is allowed. In you own LAN, the distinct IP range for the moon boxes would be routed over SUN
> and authentication would be done with certificates and a trusted CA.
> This description of a configuration is based on [2] and [3].
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
> [2] http://www.strongswan.org/uml/testresults/ikev2/ip-pool-db/
> [3] http://www.strongswan.org/uml/testresults/ikev2/net2net-cert/
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 25.11.2014 um 11:46 schrieb Matthew Ferry [PITSDC]:
>> Folks,
>>
>> Good Morning. I posted a message/Issue in the Bug Tracker system the other day.
>> I am looking for some help getting started.
>>
>> I have a project that I think strongSwan will be perfect for.
>> I have looked at examples, but am overwhelmed with options and possibilities.
>>
>> Here is a URL to the posting I made:
>> https://wiki.strongswan.org/issues/773
>>
>> IN REPLY to Tobias Brunner's comment ---
>> Each location can have its own subnet. I would like to management this IP plan from one central location.
>> The number of needed IPs will change based on the location.
>>
>> Thanks for any input.
>> I am looking forward to moving forward quickly.
>>
>> Thanks
>> Matt
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUdMW8AAoJEDg5KY9j7GZYzw4P/RSV8XYL/9nWoXTxjwX7UvyY
> 3V7kg3KS08+8dudVMQgnWYHJjhGwsjCRnKzZ2ze6PWCp5yuBnZAipkLdQzT7jKxV
> ovczRy20rwn4Zoqi8VqkFbzG+k2tAulHT8jiUgfz4EPxMTwjErVBrFiRvkeFVCM2
> W6AIDEudgvfxdhAwQOazjkmMNfQ+/Mg4t1nrbxMXmHUrRcIs+rMZzJP9vFMCnQnc
> ybrLp68doydNUbl1ArqjLmR4WqGNrJhXWaGiHAt5yhzVpFlQD9QRO/xkdPXV/Zz5
> zzWkCyKGqYqpmHBH7MexYIE8xZJhax8G2aqWrDOgpIsA31l9OWTr6lpqow6V1iwv
> qJcdi3MbF+8cgx45W+4t2bYD1Gf0TeqYOWccxKBgnqhEgajWpodAH37WTH2kuPaQ
> m8to3jFYb+mE5gDD7978KvG00sgS5VxF02MnckOwc7M1yVEEgLmbQJeL740nDcsO
> dfBtlKIJNpeKqT+tZ80/ef6GZ5fiX57XK4TytBNLjHe+yBkSh4TDi2PqBMGUh85s
> bmisUmi2bKhsO2Li8iWRW6NfQ+vwD29mqu7PjxfZeXAe1ho7PolC2LBPHJ3iT/Ly
> lEOIdejDrjmjsYLx1FRnnSZM988L1I46DK3BpYmp9e8lJ5akV9czRjFAH5Ntsdeg
> GddJ9EYlqXcd1Sa2Hov9
> =bLBd
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
- Thanks and Regards,
Matthew R. Ferry
General Manager
One Oxford Centre
301 Grant Street, Suite 4300
Pittsburgh, Pennsylvania 15219
United States
Toll Free: 855-4-PITSDC
Local Fax: 412-368-9021
Departments: Development <http://development.pitsdc.com> | IT Services
<http://itservices.pitsdc.com> | Hosting <http://hosting.pitsdc.com>
Follow Us: Twitter @PITSDC <www.twitter.com/pitsdc> | Facebook /PITSDC
<www.facebook.com/pitsdc>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141129/357d58c9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pitsdc-logo2.png
Type: image/png
Size: 173830 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141129/357d58c9/attachment-0001.png>
More information about the Users
mailing list