[strongSwan] Working simple setup was working, now no packets pass

pg at pg pg at pg
Mon Mar 2 22:29:41 CET 2015 

> Server:
> conn rw
>         leftsubnet=192.168.1.0/24
>         leftcert=StrongSwanHostCert.pem
>         right=%any
>         rightsourceip=192.168.1.11
>         auto=add

> Client
>  conn rw
>         leftsourceip=192.168.1.11
>         leftcert=mycert.pem
>         right=ext.ip
>         rightsubnet=.192.168.1.0/24
>         rightid="C=CH, O=strongswan, CN=my.server.name
>         auto=add

That does not make much sense... 'ipsec.conf' syntax is
carefully designed to allow using exactly the same configuration
file on both sides, even if rather regrettably several of the
examples in the stronSwan docs are written differently for
each side.

In IPsec there is really no client or server, that's why the two
sides are called "left" and "right". They could be called "jim"
and "sam" and perhaps that would be better.

Also note the syntax error in "rightsubnet=.192.168.1.0/24".

Also, you are stating that the client's source ip address is in
the same subnet as the server's subnet, and the hosts in that
subnet behind the gateway will not be sending response packets
to that gateway because they will have a route telling them that
192.168.1.11 is on the same LAN as they are.

Also, since you are using private addresses with presumably
public external IPs probably you should be using tunnel mode.

A connection that can be used on both sides might look like
(entirely untested):

----------------------------------------------------------------
conn vpn
  mode		=tunnel
  auto		=ignore

  left		=PUBLICIP
  leftsubnet	=192.168.1.0/24
  rightsourceip	=192.168.2.0/24
  leftid	="C=CH,O=strongSwan,CN=SERVERNAME"
  leftcert	=SERVERNAME.pem

  # "client" configs should be as generic as possible.
  # https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp
  right		=%any
  rightsourceip =%config
  rightcert	=/etc/localcert.pem

conn vpn-this
  also		=vpn
  auto		=add

If you use a static 'rightsourceip' on the client regrettably
you have to have different config files to explicitly specify
that address on the client, and with the template structure
above this is easy by writing:

----------------------------------------------------------------
conn vpn-CLIENTNAME
  also		=vpn
  auto		=add
  rightsourceip	=192.168.2.11
----------------------------------------------------------------

as the second 'conn' only on the client. If you want to specify
a host specific certificate for the client without using a
generic host-independent location like '/etc/localcert.conf'
you can use, again only on the client:

----------------------------------------------------------------
conn vpn-CLIENTNAME
  also		=vpn
  auto		=add
  rightsourceip	=192.168.2.11
  rightcrt	=CLIENTNAME.cert
----------------------------------------------------------------

More information about the Users mailing list