[strongSwan] Setup site-to-site VPN via central server

Martin Sand dborn at gmx.net
Thu Jul 14 22:24:58 CEST 2016 

Hi Tobias

Sorry for the late response. I already changed the conf yesterday and 
found out, that my vServer does not have the required kernel modules 
built-in.
So I had to request a new cloud based server and move all my web sites 
and VPN connection details to the new server.

Many thanks, here is the result of your proposed changes:
connection 'vpn-first' established successfully

Should I document this setup somewhere on the Wiki?

Out of curiosity, how would you configure the server and client if I 
would like to add vpn-third subnet with 192.168.3.0?

Best regards
Martin


On 07/13/2016 03:49 PM, Tobias Brunner wrote:
> Hi Martin,
>
>> Regarding #1, on the server I have configured another IP address for the
>> network device:
>> ip addr add 192.168.1.0/24 dev eth0
>>
>> Do I need to add a route as well?
> You won't need either of that to connect the two subnets.
>
>> Central server internal IP: 192.168.1.0, external IP: vpn.example.org
>> First home gateway: 192.168.0.1/24
>> Second home gateway: 192.168.2.1/24
>>
>> Please find below my ipsec.conf
> See my comments below.
>
>> The connection seems to be established, but I get the following error
>> message on the server:
>> traffic selectors 192.168.1.0/32 192.168.2.0/24 === 192.168.1.0/24
>> inacceptable
>> failed to establish CHILD_SA, keeping IKE_SA
>>
>> On the first gateway I get:
>> installing new virtual IP 192.168.0.1
>> received TS_UNACCEPTABLE notify, no CHILD_SA built
>> failed to establish CHILD_SA, keeping IKE_SA
> Since you simply want to set up a site-site tunnel the use of virtual
> IPs (left|rightsourceip) is completely misplaced.
>
>> ## Server.conf
>>
>> config setup
>>
>> conn base
>> ...
>>           leftsubnet=192.168.1.0
> What you actually want is to use leftsubnet=<subnet 2> for the
> connection with 1 and leftsubnet=<subnet 1> for the connection with 2.
> The server does obviously not have to be directly connected to these
> subnets but this will result in the correct IPsec policies for the
> traffic to get tunneled via the central server.  So remove the above
> line and then change the rest as follows:
>
>> ...
>> conn vpn-first
>             also=base
>>           auto = add
>>           rightcert = firstCert.pem
>>           rightsubnet = 192.168.0.0/24
>             leftsubnet = 192.168.2.0/24
> Remove:
>>           rightsourceip = 192.168.0.1
>>
>> conn vpn-mann
>             also=base
>>           auto = add
>>           rightcert = secondCert.pem
>>           rightsubnet = 192.168.2.0/24
>             leftsubnet = 192.168.0.0/24
> Remove:
>>           rightsourceip = 192.168.2.1
>>
>> # First gateway ipsec.conf (second one skipped for the moment)
>>
>> ...
>> conn vpn-stern
>> ...
> Remove 192.168.1.0 from:
>>           rightsubnet = 192.168.1.0,192.168.2.0/24
>> ...
> Remove:
>>           leftsourceip = %config4
> Regards,
> Tobias
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160714/0fad3d98/attachment.html>

More information about the Users mailing list