[strongSwan] is this scenario supported by strongswan?

gustavo panizzo (gfa) gfa at zumbi.com.ar
Tue Oct 21 12:50:00 CEST 2014

ok i have it (almost) working

vpn server ipsec.conf (running strongswan 5.2)

config setup
         # uniqueids=never
         charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default

conn nexus5
         # forceencaps=yes
(many more like this one, all of them android phones)

conn <laptop>

conn <workstation>

the only thing i cannot get it to work is to be able to ssh from 
<laptop> to <workstation>

i don't understand how i could do it as ip assigned to <laptop> and 
<workstation> have /32 netmask
also i run many VMs on <laptop> which i would like to be able to route 
into the vpn but is not possible as i don't get any route

i can reach the network behind the vpn server, that's good

output from <workstation>

$ ip r
default via dev eth0 dev eth0  proto kernel  scope link  src dev prov0  proto kernel  scope link  src dev br0  proto kernel  scope link  src

$ ip -4 a

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast 
state UP group default qlen 1000
     inet brd scope global eth0
        valid_lft forever preferred_lft forever
*inet scope global eth0*
        valid_lft forever preferred_lft forever

ipsec.conf on <workstation> (running strongswan 5.2)

config setup
     nat_traversal = yes

conn sample-with-ca-cert
       rightid="C=AR, O=strongSwan, CN=vpn-server-FQDN"
       leftfirewall = yes

i feel like i'm missing something obvious but i cannot get an answer 
googling for it
any pointer will be appreciated


On 10/14/2014 03:40 PM, Martin Willi wrote:
> Hi,
>> i want to know if strongswan running on a linux server can support this
>> clients.
>> - android phones using native client, and configured as ipsec rsa xauth
>> (x509+Xauth), all traffic should be routed over the vpn
>> - mikrokit router, configured as ipsec rsa, behind a dynamic ip but not
>> nat (adsl), not all traffic should be routed over vpn.
>> router will nat is clients into the vpn
>> - remote workstation running linux behind nat, not all traffic should be
>> routed over vpn, but it should allow connections from other vpn client
>> - laptop running linux, most of the time behind nat, it may or may not
>> need to route all the traffic over vpn, it needs to be able to connect
>> to the remote workstation over the vpn
> That should be doable, yes. Obviously you'll need multiple connection
> definitions in your ipsec.conf, most likely one for each of these
> clients.
> The tricky part is probably to assign the correct connection definition
> to each connecting client. I assume the first two use IKEv1? Then you
> can distinguish them by the authentication method. For the latter two
> I'd recommend to use IKEv2 (and strongSwan clients?), but not sure what
> your "other vpn client" supports. If required you can used different
> leftids on your responder with IKEv2, and then select the correct
> configuration based on the proposed responder identity. Alternatively
> you may select the configuration based on the client identity or its IP
> address; this highly depends on your client capabilities.
> Whether to "route all traffic over VPN" depends on your leftsubnet
> configuration; you may also dynamically allow clients to propose what to
> tunnel by using traffic selector narrowing.
>> i want to know if strongswan can do all this for me running on a single
>> server, on a single instance with a single pool of ip
> Sharing an in-memory virtual IP pool is straightforward since 5.0.1;
> just define the same rightsourceip pool subnet to share it across
> multiple connections.
> Regards
> Martin

1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141021/4f212579/attachment.html>

More information about the Users mailing list