[strongSwan] Setup site-to-site VPN via central server

Tobias Brunner tobias at strongswan.org
Wed Jul 13 15:49:45 CEST 2016


Hi Martin,

> Regarding #1, on the server I have configured another IP address for the 
> network device:
> ip addr add 192.168.1.0/24 dev eth0
> 
> Do I need to add a route as well?

You won't need either of that to connect the two subnets.

> Central server internal IP: 192.168.1.0, external IP: vpn.example.org
> First home gateway: 192.168.0.1/24
> Second home gateway: 192.168.2.1/24
> 
> Please find below my ipsec.conf

See my comments below.

> The connection seems to be established, but I get the following error 
> message on the server:
> traffic selectors 192.168.1.0/32 192.168.2.0/24 === 192.168.1.0/24  
> inacceptable
> failed to establish CHILD_SA, keeping IKE_SA
> 
> On the first gateway I get:
> installing new virtual IP 192.168.0.1
> received TS_UNACCEPTABLE notify, no CHILD_SA built
> failed to establish CHILD_SA, keeping IKE_SA

Since you simply want to set up a site-site tunnel the use of virtual
IPs (left|rightsourceip) is completely misplaced.

> ## Server.conf
> 
> config setup
> 
> conn base
> ...
>          leftsubnet=192.168.1.0

What you actually want is to use leftsubnet=<subnet 2> for the
connection with 1 and leftsubnet=<subnet 1> for the connection with 2.
The server does obviously not have to be directly connected to these
subnets but this will result in the correct IPsec policies for the
traffic to get tunneled via the central server.  So remove the above
line and then change the rest as follows:

> ...
> conn vpn-first
           also=base
>          auto = add
>          rightcert = firstCert.pem
>          rightsubnet = 192.168.0.0/24
           leftsubnet = 192.168.2.0/24
Remove:
>          rightsourceip = 192.168.0.1
> 
> conn vpn-mann
           also=base
>          auto = add
>          rightcert = secondCert.pem
>          rightsubnet = 192.168.2.0/24
           leftsubnet = 192.168.0.0/24
Remove:
>          rightsourceip = 192.168.2.1
> 
> # First gateway ipsec.conf (second one skipped for the moment)
> 
> ...
> conn vpn-stern
> ...
Remove 192.168.1.0 from:
>          rightsubnet = 192.168.1.0,192.168.2.0/24
> ...
Remove:
>          leftsourceip = %config4

Regards,
Tobias



More information about the Users mailing list