[strongSwan] What is necessary to make road warriors talk to each other?
Levine, Daniel J.
Daniel.Levine at jhuapl.edu
Wed Sep 10 20:42:59 CEST 2014
Hi,
We have basically implemented the IKEv2 using EAP-MSCHAPv2 Road Warrior configuration. We are using 2 Android phones with the StrongSwan app on each as road warriors. This is working in that we can authenticate and the road warrior phones each create their own tunnels to the StrongSwan server and get a assigned a unique address in the 10.3.0.0/24 subnet. They can also see into the private LAN (10.1.0.0/24 subnet) sitting behind the VPN server. However, the road warriors can't see each other over the VPN (i.e., road warrior1 (VPN IP 10.3.0.1) can't ping road warrior2 (VPN IP: 10.3.0.2), yet they can see eachother outside the VPN.
This makes sense after reading this text found in the StrongSwan Intro:
The mentioned distinction between policies and SAs often leads to misconceptions. For instance, referring to the image above, if host moon has a site-to-site tunnel to host sun (connecting the two networks 10.1.0.0/24 and 10.2.0.0/24), and host carol has a roadwarrior connection to host sun (from which carol received a virtual IP address of 10.3.0.10), then carol wont be able to automatically communicate with alice, even if forwarding is enabled on sun. This is because there is no IPsec policy allowing traffic between carol (10.3.0.10) and alice (10.1.0.10). An additional SA between moon and sun, connecting the virtual subnet 10.3.0.0/24 with 10.1.0.0/24 would be a possible solution to this issue.
Not the exact same scenario, since both aren't road warrior connections, but it sounds like the same issue.
So, my question is, what do I need to added to ipsec.conf so that each Road Warrior that gets added (I want to have more than 2) to 10.3.0.0/24 can see the others as well as the 10.1.0.0/24 private network after authenticating to the VPN?
I assume that the traffic going between the 10.3.0.0/24 virtual IP tunnels still goes to the VPN server first and not directly to the Road Warrior. But I wouldn't mind some clarity on that as well.
Thanks,
Daniel J. Levine
A3C4 Section Supervisor
Air and Missile Defense Department
Johns Hopkins University Applied Physics Laboratory
Phone: (443) 778-3952 (240) 228-3952
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140910/92b4e66c/attachment.html>
More information about the Users
mailing list