[strongSwan] Succesful IPSec connection, but how to access computer on other side?

Nicolas Göddel nicolas at freakscorner.de
Tue Jun 9 14:11:30 CEST 2015


Hi,

I am new to the topic VPN, IPSec, route, iptables, etc.

I have the scenario mentioned in the attachment. My IPSec Gateway is a Lubuntu
with two network interfaces. eth0 is connected to the internal LAN. There is a
switch which connects a few Windows computers with a Cisco RV042 router and the
Lubuntu (IPSec Gateway). The Cisco gives internet acces over a fast internet
connection and has DHCP enabled so that all Windows computers get their IP
address from this router and are able to use internet. At the moment Lubuntu is
configured to a static IP within the Subnet 192.168.1.0/24. On eth1 there is
connected a second modem with the static IP 176.94.x.x which should be used to
create a Site-to-Site IPSec connection to an other company.

_route looks like this:_

root at vpn-server:~# LANG=C route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         business-176-09 0.0.0.0         UG    0      0        0 eth1
176.94.52.88    *               255.255.255.248 U     1      0        0 eth1
192.168.1.0     *               255.255.255.0   U     1      0        0 eth0

_This /etc/ipsec.conf__:_

config setup
        charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default

conn union
        left=176.94.x.x
        leftsubnet=10.100.1.0/24
        leftsourceip=10.100.1.1
        leftfirewall=yes
        right=83.136.y.y
        rightsubnet=10.251.0.0/16
        auto=add
        ikelifetime=24h
        lifetime=1h
        type=tunnel
        lifebytes=4718592000
        ike=aes256-sha256-modp2048
        esp=aes256-sha256-modp2048
        authby=psk
        keyexchange=ikev1
        lefthostaccess=yes

_This is /etc/strongswan.conf__:_

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

_This is ifconfig -a:_

root at vpn-server:~# ifconfig -a
eth0      Link encap:Ethernet  Hardware Adresse c4:6e:1f:06:10:90 
          inet Adresse:192.168.1.152  Bcast:192.168.1.255  Maske:255.255.255.0
          inet6-Adresse: fe80::c66e:1fff:fe06:1090/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX-Pakete:1355634 Fehler:0 Verloren:360 Überläufe:0 Fenster:0
          TX-Pakete:12684 Fehler:0 Verloren:0 Überläufe:0 Träger:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX-Bytes:113088435 (113.0 MB)  TX-Bytes:1505232 (1.5 MB)

eth1      Link encap:Ethernet  Hardware Adresse 00:1b:fc:90:80:51 
          inet Adresse:176.94.x.x  Bcast:176.94.x.x  Maske:255.255.255.248
          inet6-Adresse: fe80::21b:fcff:xxxx:xxxx/64 Gültigkeitsbereich:Verbindung
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX-Pakete:1955017 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
          TX-Pakete:1898517 Fehler:0 Verloren:0 Überläufe:0 Träger:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX-Bytes:472209413 (472.2 MB)  TX-Bytes:443885596 (443.8 MB)

lo        Link encap:Lokale Schleife 
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          inet6-Adresse: ::1/128 Gültigkeitsbereich:Maschine
          UP LOOPBACK RUNNING  MTU:65536  Metrik:1
          RX-Pakete:10137 Fehler:0 Verloren:0 Überläufe:0 Fenster:0
          TX-Pakete:10137 Fehler:0 Verloren:0 Überläufe:0 Träger:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX-Bytes:1341831 (1.3 MB)  TX-Bytes:1341831 (1.3 MB)

_This is starting ipsec:_

root at vpn-server:~# ipsec start
Starting strongSwan 5.1.2 IPsec [starter]...
root at vpn-server:~# ipsec up union
initiating Main Mode IKE_SA union[1] to 83.136.y.y
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (196 bytes)
received packet: from 83.136.y.y[500] to 176.94.x.x[500] (108 bytes)
parsed ID_PROT response 0 [ SA V ]
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (396 bytes)
received packet: from 83.136.y.y[500] to 176.94.x.x[500] (456 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received DPD vendor ID
received unknown vendor ID: 75:37:a8:c7:39:54:ff:f2:a8:f6:8d:a3:d4:0b:63:11
received XAuth vendor ID
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (92 bytes)
received packet: from 83.136.y.y[500] to 176.94.x.x[500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA union[1] established between 176.94.x.x[176.94.x.x]...83.136.y.y[83.136.y.y]
scheduling reauthentication in 85375s
maximum IKE_SA lifetime 85915s
generating TRANSACTION request 247522367 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (92 bytes)
received packet: from 83.136.y.y[500] to 176.94.x.x[500] (108 bytes)
parsed INFORMATIONAL_V1 request 2733943088 [ HASH D ]
received DELETE for IKE_SA union[1]
deleting IKE_SA union[1] between 176.94.x.x[176.94.x.x]...83.136.y.y[83.136.y.y]
initiating Main Mode IKE_SA union[2] to 83.136.y.y
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 176.94.x.x[500] to 83.136.y.y[500] (196 bytes)
connection 'union' established successfully
root at vpn-server:~# ipsec status
Security Associations (1 up, 0 connecting):
       union[1627]: CONNECTING, 176.94.x.x[%any]...83.136.y.y[%any]

Now I want to be able to ping the computer on the other side with the IP address
10.251.232.75 from Lubuntu. What have I to do?
Later I want to be able to connect from any Windows PC to the 10.251.232.75.
What have I to do then?
I can assume that the other side is configured correctly, so that I should be
able to ping 10.251.232.75 from my side. But first I have to do things right on
my side.

I thought strongswan would create a virtual interface like openvpn does. I guess
this way I would be able to use this virtual interface as gateway to the
VPN/IPSec tunnel.
What do I need, where can I read about this scenario? Do you need more information?

Thank you!

-- 
——————————————————————————————————————————————
Homepage: http://freakscorner.de
Facebook: http://www.facebook.com/Bastelkeller
Twitter: http://twitter.com/freaks_corner
Youtube: http://youtube.com/tubenic86

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150609/13433300/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Netzwerk.png
Type: image/png
Size: 182237 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150609/13433300/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4234 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150609/13433300/attachment-0001.bin>


More information about the Users mailing list