[strongSwan] is this scenario supported by strongswan?

gustavo panizzo (gfa) gfa at zumbi.com.ar
Tue Oct 21 12:50:00 CEST 2014 

ok i have it (almost) working

vpn server ipsec.conf (running strongswan 5.2)

config setup
         # uniqueids=never
         charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
         keyexchange=ikev2
         dpdaction=clear
         dpddelay=300s
         rekey=no
         left=%any
         leftsubnet=0.0.0.0/0
         leftcert=serverHostCert.pem
         right=%any
         rightdns=8.8.8.8
         rightsourceip=192.168.126.3/24
         type=tunnel
         #rightsubnet=192.168.126.0/24
         forceencaps=yes

conn nexus5
         keyexchange=ikev1
         # forceencaps=yes
         rightauth=pubkey
         rightauth2=xauth
         auto=add
         rightsourceip=192.168.126.5
(many more like this one, all of them android phones)

conn <laptop>
         keyexchange=ikev2
         auto=add
         #leftsubnet=192.168.126.0/24
         #rightsourceip=192.168.126.4

conn <workstation>
         keyexchange=ikev2
         auto=add
         leftsubnet=192.168.126.0/24


the only thing i cannot get it to work is to be able to ssh from 
<laptop> to <workstation>

i don't understand how i could do it as ip assigned to <laptop> and 
<workstation> have /32 netmask
also i run many VMs on <laptop> which i would like to be able to route 
into the vpn but is not possible as i don't get any route

i can reach the network behind the vpn server, 192.168.125.1 that's good

output from <workstation>

$ ip r
default via 172.17.0.1 dev eth0
172.17.0.0/21 dev eth0  proto kernel  scope link  src 172.17.1.163
192.168.122.0/24 dev prov0  proto kernel  scope link  src 192.168.122.1
192.168.255.0/24 dev br0  proto kernel  scope link  src 192.168.255.1

$ ip -4 a

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP group default qlen 1000
     inet 172.17.1.163/21 brd 172.17.7.255 scope global eth0
        valid_lft forever preferred_lft forever
*inet 192.168.126.4/32 scope global eth0*
        valid_lft forever preferred_lft forever



ipsec.conf on <workstation> (running strongswan 5.2)

config setup
     nat_traversal = yes
     charonstart=no

conn sample-with-ca-cert
       leftsourceip=%config
       rightsubnet=192.168.125.0/24
       leftcert=workstationCert.pem
       leftid=workstation
       right=vpn-server-ip
       rightid="C=AR, O=strongSwan, CN=vpn-server-FQDN"
       auto=start
       leftfirewall = yes


i feel like i'm missing something obvious but i cannot get an answer 
googling for it
any pointer will be appreciated

thanks


On 10/14/2014 03:40 PM, Martin Willi wrote:
> Hi,
>
>> i want to know if strongswan running on a linux server can support this
>> clients.
>>
>> - android phones using native client, and configured as ipsec rsa xauth
>> (x509+Xauth), all traffic should be routed over the vpn
>>
>> - mikrokit router, configured as ipsec rsa, behind a dynamic ip but not
>> nat (adsl), not all traffic should be routed over vpn.
>> router will nat is clients into the vpn
>>
>> - remote workstation running linux behind nat, not all traffic should be
>> routed over vpn, but it should allow connections from other vpn client
>>
>> - laptop running linux, most of the time behind nat, it may or may not
>> need to route all the traffic over vpn, it needs to be able to connect
>> to the remote workstation over the vpn
> That should be doable, yes. Obviously you'll need multiple connection
> definitions in your ipsec.conf, most likely one for each of these
> clients.
>
> The tricky part is probably to assign the correct connection definition
> to each connecting client. I assume the first two use IKEv1? Then you
> can distinguish them by the authentication method. For the latter two
> I'd recommend to use IKEv2 (and strongSwan clients?), but not sure what
> your "other vpn client" supports. If required you can used different
> leftids on your responder with IKEv2, and then select the correct
> configuration based on the proposed responder identity. Alternatively
> you may select the configuration based on the client identity or its IP
> address; this highly depends on your client capabilities.
>
> Whether to "route all traffic over VPN" depends on your leftsubnet
> configuration; you may also dynamically allow clients to propose what to
> tunnel by using traffic selector narrowing.
>
>> i want to know if strongswan can do all this for me running on a single
>> server, on a single instance with a single pool of ip
> Sharing an in-memory virtual IP pool is straightforward since 5.0.1;
> just define the same rightsourceip pool subnet to share it across
> multiple connections.
>
> Regards
> Martin
>

-- 
1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141021/4f212579/attachment.html>

More information about the Users mailing list