[strongSwan] Automatic Tunnel Opening and Routing
Jacques Monin
jacques.monin01 at gmail.com
Wed Apr 29 10:54:57 CEST 2015
Thank you for your answers, I'll try to be more explicit about my needs.
I need to do two configurations :
VPN Client: 172.16.0.3 - 1.1.1.1 - INTERNET - 2.2.2.2 - Firewall-
172.16.1.0/24
Mode Config : 172.16.0.32-64 - 1.1.1.1 - INTERNET - 2.2.2.2 - Firewall -
172.16.1.0/24
Here my ipsec.conf :
config setup
conn %default
dpddelay=30
keyingtries=5
rekeymargin=120
dpdtimeout=15
keyexchange=ikev1
keylife=1h
ikelifetime=6h
authby=rsasig
conn normal
right=2.2.2.2
rightsubnet=172.16.1.0/24
rightid=%any
left=%defaultroute
leftsubnet=172.16.0.3/32
leftsourceip=172.16.0.3
leftcert=cert.pem
leftca=cacert.pem
leftsendcert=always
auto=route
type=tunnel
ike=aes256-sha2_256-modp1536
esp=aes256-sha2_256-modp1024
conn cfgconf
right=2.2.2.2
rightsubnet=172.16.1.0/24
rightid=%any
left=%defaultroute
leftsourceip=%modeconfig
leftcert=cert.pem
leftca=cacert.pem
leftrsasigkey=%cert
leftsendcert=always
auto=route
type=tunnel
ike=aes256-sha2_256-modp1536
esp=aes256-sha2_256-modp1024
strongswan.conf :
charon {
load_modular = yes
install_virtual_ip = yes
install_routes = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
I have problems with these two configurations:
For the first:
-Strongswan doesnt create a virtual IP address 172.16.0.3 but a virtual IP
address in config mode subnet even if I remove the cfgconf from ipsec.conf.
So when I do "ip a show eth1" I got 172.16.0.33 instead of 172.16.0.3 (but
when I check my configuration with ipsec statusall It gives me :
normal{1}: 172.16.0.3/32 === 172.16.1.0/24 . So, is strongswan supposed
to make virtual IP address for non config connection ?
For the second:
-All works fine if I don't want to use traffic detection mode. Indead, if I
want my tunnel to be opened with traffic detection, I need to specify
auto=route but my tunnel is in config mode so the routing doesn't seem to
work (howover, when I open my tunnel with auto=start, all works fine). So,
is there any way to pass throught this problem ? Is it possible tu use
traffic detection without initial routing ?
For boths:
-I'm using virtual IP address because I do roadwarrior configurations, so
when I unplug a network wire, these virtual IP addresses are erased, so I'd
need either virtual addresses which are not erased when the wire is
unpluged or tunnels to be closed when the wire is unpluged (in order to
have the virtual IP address recreated after the wire to be replug).
Thanks for helping
2015-04-29 7:55 GMT+02:00 Noel Kuntze <noel at familie-kuntze.de>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Jacques,
>
> Do you have logs? I would like to see what strongSwan does and your
> operating system in particular,
> as you do not use DPD, so a connection failure should not be detected and
> the policies and the tunnel state should remain up,
> although no communication is possible. If this is wanted, is yours to
> decide.
>
> Also, if your ultimate goal is to avoid leaking traffic, look at the
> "policy" match in iptables
> and make creative use of it in *filter FORWARD.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 28.04.2015 um 11:19 schrieb Jacques Monin:
> > Hello,
> >
> > I'm trying to configurate strongswan in order to have automatic tunnel
> opening and routing.
> >
> > The tunnel opens well on traffic detection, the routes are created and
> all works well. But if a network wire is unpluged, the routing is erased
> and I have to restart strongswan.
> > Is there any way to avoid this ?
> >
> > Is this possible to have the routing and the virtual addresse adding
> done while the opening of the tunnel ?
> > By using leftupdown="ipsec _updown"
> >
> > It seems that the only option to have automatic tunnel opening is to
> specify auto=route in ipsec.conf (I was hoping auto=add had the same
> behaviour).
> > So is there any way to have automatic tunnel opening without initial
> routing ?
> >
> > Here my configuration :
> >
> > config setup
> >
> > conn %default
> > dpddelay=30
> > keyingtries=5
> > rekeymargin=120
> > dpdtimeout=120
> > keyexchange=ikev1
> > keylife=1h
> > ikelifetime=6h
> > authby=rsasig
> >
> > conn Visio
> > right=A.A.A.A
> > rightsubnet=172.16.1.0/24 <http://172.16.1.0/24>
> > rightid=%any
> >
> > left=%defaultroute
> > leftsubnet=172.16.0.3/32 <http://172.16.0.3/32>
> > leftsourceip=172.16.0.3
> > leftcert=cert.pem
> > leftca=cacert.pem
> > leftsendcert=always
> >
> > auto=route
> > type=tunnel
> > ike=aes256-sha2_256-modp1536
> > esp=aes256-sha2_256-modp1024
> >
> > Thanks for you help
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVQHJHAAoJEDg5KY9j7GZYnXUP/RxP9P/jWjS+r9toiM0sHyWj
> hr5YQYjDfU/XdhpVWgMmvelVOYd0Frd52pf/k3+VJ1uWFwqwJUOjrg1N33ovAVt+
> Lusp5xlEBMIDnDb7raPEsE1yGNreFwKKJIROmnwWlhlnh2HDC4g6Ke6leFX4rjyp
> pFEuzKm5MwYv3+E2X6i8MoqRQXVPudnL5ZZPXmQ/xwzn+BesH+uMHfhWzXR67uo5
> KiH9V2HqoHAggd3MiOA8wsYOoxD7bydoa4Y6dIJfDijCK58W+2t1Wu/XRpLrwSem
> Qfy2yGlB+rQGoLGX6lcx8V87bdkX2khS5jik/KffapWU0i7cqcA8Zy5KQRek5y95
> f6ruI+QWRu1pENj5ciVyAPGy3cuGJLaIWSjvUFdkiprmL3iaXbRQ9/tlnb4C1Up7
> 48MFGffEVAk7niomsU1l8mBQNrJRDDC0Lr6vK/V0vXutT0lP8qyQEduGZ4U+8u2L
> XV+saUX8wd9LJ1MCm8Db5szHQEasNmck6OzboYMK5UDQapMmXQ98OgUqYOq3wqSO
> 8aP1C9g42smlqnV0IGnbWCaJ76PwwGNlLyFyTmKBFQPfRinVeyl893wHUyLs59kd
> QEwsjMrBNaQjWjNhFlf1e596Q0ik/jYpjSCYnWf8VDxLEYtWou2O0BFyrz5BIT9Q
> 8rnXlGzABj2VQehkRUdY
> =h2ws
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150429/2ed0be1e/attachment-0001.html>
More information about the Users
mailing list