[strongSwan] What is necessary to make road warriors talk to each other?

Noel Kuntze noel at familie-kuntze.de
Wed Sep 10 20:47:26 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Levine,

You can set a list of subnets as leftsubnet in ipsec.conf
Example:
leftsubnet=10.1.0.0/24,10.3.0.0/24

That will make the TS cover your VPN network, so traffic that is directed towards
IP addresses in your VPN network goes through the tunnel to your VPN server.
The VPN server knows how to reach the clients, so connections will work.
As the logical location of the distinct VPN clients (physical devices) in the WAN
environment can't be deduced from the IP address they get assigned from the VPN server,
traffic _must_ flow through the VPN server.

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 10.09.2014 um 20:42 schrieb Levine, Daniel J.:
>
> Hi,
>
>
> We have basically implemented the IKEv2 using EAP-MSCHAPv2 Road Warrior configuration.  We are using 2 Android phones with the StrongSwan app on each as road warriors.  This is working in that we can authenticate and the road warrior phones each create their own tunnels to the StrongSwan server and get a assigned a unique address in the 10.3.0.0/24 subnet.  They can also see into the private LAN (10.1.0.0/24 subnet) sitting behind the VPN server.  However, the road warriors can't see each other over the VPN (i.e., road warrior1 (VPN IP 10.3.0.1) can't ping road warrior2 (VPN IP: 10.3.0.2), yet they can see eachother outside the VPN.
>
>
> This makes sense after reading this text found in the StrongSwan Intro:
>
>
>     The mentioned distinction between policies and SAs often leads to *misconceptions*. For instance, referring to the image above, if host moon has a site-to-site tunnel to host sun (connecting the two networks 10.1.0.0/24 and 10.2.0.0/24), and host carol has a roadwarrior connection to host sun (from which carol received a virtual IP address of 10.3.0.10), then carol wont be able to automatically communicate with alice, even if forwarding is enabled on sun. This is because there is no IPsec policy allowing traffic between carol (10.3.0.10) and alice (10.1.0.10). An additional SA between moon and sun, connecting the virtual subnet 10.3.0.0/24 with 10.1.0.0/24 would be a possible solution to this issue.
>
>
> Not the exact same scenario, since both aren't road warrior connections, but it sounds like the same issue.
>
>
> So, my question is, what do I need to added to ipsec.conf so that each Road Warrior that gets added (I want to have more than 2) to 10.3.0.0/24 can see the others as well as the 10.1.0.0/24 private network after authenticating to the VPN?
>
>
> I assume that the traffic going between the 10.3.0.0/24 virtual IP tunnels still goes to the VPN server first and not directly to the Road Warrior.  But I wouldn't mind some clarity on that as well.
>
>
> Thanks,
>
>
> /Daniel J. Levine/
>
> A3C4 Section Supervisor
>
> Air and Missile Defense Department
>
> Johns Hopkins University Applied Physics Laboratory
>
> Phone: (443) 778-3952  (240) 228-3952
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUEJy+AAoJEDg5KY9j7GZYOFQP/19d1ozBTnIbs05xao5VOTIY
3zIRoV8lzBDHL5GZJkWCkX8ln4T/k9pvcPvUxheNsE+M5wnQWteBP0rb56lUAXsz
rw66qAzakF4v8uouNGWkNwvG9auOjbUrUe2fMG9sehQhXRco22j3ynrbVPNgf0P2
o1GvZblJGwDsiyT1MRzW1BVL8FyDghnt48H5mrD0WBAqH6ISSHLg8wlRFoGgXJLK
5vpO0oq6afCISWAKWaJISOkq9G/rMOnCFFRePDiXYqxC1xagnNFbJG0ej+avxZUF
MiRG+GPwvOrXV1gbPVbUcXrgC4fvz/v+3hLh1p8P6obZhZqhC6aHznSGai6wIbvT
W0benepv7pFSj5Uj+gullbGpSW3qvaZ1VAkciGEGjHrgLhXYgG1lHq/kk80ECMKp
+6zDQ14UtXFbA8rIxrqRbao05U5NUB5k+mEA4qcNCa7lr7zfaJL5pGJ1mwSECH8U
Ye006LpU38ekMt8UEKxsolgVjPzjMqUQ1K6bztyy4pWVKTFcXHiXKLYSeT9rh1xn
OhxfiA/rd6RDz0eoBP4+IhjpksGFJrwWY5qCk+YTenvwwSt4UYNCupBvzzryn9zZ
6Bthp/ZhOTBjWxNlDuXsw4cKsg+sx4GR5sixtc/U7LgqXyS3SrftdifDm4WQ/Qb8
s+YrjX8vqem5CQnK6aKq
=DNjF
-----END PGP SIGNATURE-----



More information about the Users mailing list