[strongSwan] Setup site-to-site VPN via central server

Tue Jul 12 22:34:06 CEST 2016

Hi Tobias

Thanks for your reply. Please find more details below.
Regarding #1, on the server I have configured another IP address for the 
network device:
ip addr add 192.168.1.0/24 dev eth0

Do I need to add a route as well?

Central server internal IP: 192.168.1.0, external IP: vpn.example.org
First home gateway: 192.168.0.1/24
Second home gateway: 192.168.2.1/24

Please find below my ipsec.conf

The connection seems to be established, but I get the following error 
message on the server:
traffic selectors 192.168.1.0/32 192.168.2.0/24 === 192.168.1.0/24  
inacceptable
failed to establish CHILD_SA, keeping IKE_SA

On the first gateway I get:
installing new virtual IP 192.168.0.1
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA

Best regards
Martin

## Server.conf

config setup

conn base
         type=tunnel
         keyexchange=ikev2
         keyingtries=%forever
         rekeymargin=3m
         ikelifetime=60m
         keylife=20m
         compress=no

         left=vpn.example.org
         leftauth=pubkey
         leftcert=serverCert.pem
         leftsubnet=192.168.1.0
         leftfirewall=yes

         right=%any
         rightauth=pubkey
         rightsendcert=never

conn vpn-first
         auto = add
         rightcert = firstCert.pem
         rightsubnet = 192.168.0.0/24
         rightsourceip = 192.168.0.1
         also=base

conn vpn-mann
         auto = add
         rightcert = secondCert.pem
         rightsubnet = 192.168.2.0/24
         rightsourceip = 192.168.2.1
         also=base

# First gateway ipsec.conf (second one skipped for the moment)

config setup

conn %default

conn vpn-stern
         auto=route
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=%forever
         keyexchange=ikev2
         dpdaction = restart
         closeaction = restart
         forceencaps = yes
         compress = no
         fragmentation=yes

         right = vpn.example.org
         rightauth = pubkey
         rightcert = serverCert.pem
         rightsendcert=never
         rightsubnet = 192.168.1.0,192.168.2.0/24

         left = %defaultroute
         leftauth = pubkey
         leftca = %same
         leftcert = firstCert.pem
         leftsubnet = 192.168.1.0/24
         leftsourceip = %config4

On 07/12/2016 10:49 AM, Tobias Brunner wrote:
> Hi Martin,
>
>> There are basically 2 separate questions:
>> 1. Do I need to setup ip route on vpn.example.org?
> What do you mean?
>
>> 2. What are the right iptables to route traffic from the two home
>> networks to each other?
> Depends on the existing firewall configuration.  But traffic between the
> subnets must be permitted in the FORWARD chain.  strongSwan will install
> such rules with leftfirewall=yes.
>
> Regards,
> Tobias
>