[strongSwan] IPSec Host-to-Host connection + Virtual IP + own PKI.

Rodrigo Lins lins.oliveira at gmail.com
Wed Feb 17 10:39:33 CET 2016 

Hi All, I have some virtual machine instances in different providers and I
want to make a connection
among them using IPSec + Virtual IP.

I got already the PKI working, tunnel working. However when I connect, the
client machine gets the Virtual IP from the Server
but the server doesn't get a virtual IP.

The point is, I'm not so sure what to look for. This setup, excluding the
PKI, works fine with openSSH, but we want to change to IPSec.

Any suggestions? Thanks in advance!



This is how its working right now.

+-----------+             +-----------+
|   moon    |-------------|    sun    |
+-----------+             +-----------+
Public IP: 213.X.X.X      Public IP: 213.X.X.X
After connection:
Virtual IP: Doesn't have  Virtual IP: 192.168.200.1


This is what I'm looking for:
+-----------+             +-----------+
|   moon    |-------------|    sun    |
+-----------+             +-----------+
Public IP: 213.X.X.X      Public IP: 213.X.X.X
After connection:
Virtual IP: 192.168.200.1  Virtual IP: 192.168.200.2


====================================================================================
                      Moon Ipsec.conf
====================================================================================

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default

ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!

esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2

        left=%any
#       leftsubnet=192.168.200.0/28

conn monitoring-host
        leftcert=vpnHostCert.pem
        right=%any
        rightsourceip=192.168.200.0/24
#       rightsourceip=%config
        auto=add

====================================================================================
                      Sun Ipsec.conf
====================================================================================
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup

conn home
#        leftsourceip=%config # Gets a virtual IP
        leftsourceip=192.168.200.70
        leftcert=demoCert.pem
        right=213.X.X.X
        rightid="C=DE, O=xxxxxxx, CN=xxxxx.xxxx.xxx"
        auto=start

include /var/lib/strongswan/ipsec.conf.inc


====================================================================================
                      Moon ipsec statusall
====================================================================================
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64,
x86_64):
  uptime: 27 minutes, since Feb 17 10:03:10 2016
  malloc: sbrk 2568192, mmap 0, used 588816, free 1979376
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 5
  loaded plugins: charon aes sha1 sha2 md5 pem pkcs1 gmp random nonce x509
curl openssl revocation hmac xcbc stroke kernel-netlink socket-default
updown
Virtual IP pools (size/online/offline):
  192.168.200.0/24: 254/1/0
Listening IP addresses:
  213.xxx.xxx.xxx
  2a02:xxxx:xxxx:xxxx::xxxx
Connections:
monitoring-host:  %any...%any  IKEv2
monitoring-host:   local:  [C=DE, O=xxxx, CN=xxxx] uses public key
authentication
monitoring-host:    cert:  "C=DE, O=xxxx, CN=xxxx"
monitoring-host:   remote: uses public key authentication
monitoring-host:   child:  dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
monitoring-host[4]: ESTABLISHED 4 seconds ago, 213.xxx.xxx.xxx[C=DE,
O=xxxx, CN=xxxx]...213.xxx.xxx.xxx[C=DE, O=xxxx, CN=xxxx]
monitoring-host[4]: IKEv2 SPIs: b130789ba42ee258_i fca69a6e36637e94_r*,
public key reauthentication in 54 minutes
monitoring-host[4]: IKE proposal:
AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
monitoring-host{2}:  INSTALLED, TUNNEL, ESP SPIs: c2484a7c_i cba73ced_o
monitoring-host{2}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 15 minutes
monitoring-host{2}:   213.xxx.xxx.xxx/32 === 192.168.200.1/32
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160217/c0d7ce2a/attachment.html>

More information about the Users mailing list