[strongSwan] How to protect all traffic using strongswan?

Sarat Vajrapu saratvajrapu1 at gmail.com
Mon Jul 25 11:55:24 CEST 2016


Hi Mirko,

Thanks for the reply.
I created loopback interface on each gateway and below is the required info:

GW_A:

****Config*****
conn ipsec-local
        left=10.1.1.216
        esp=aes128-sha256

conn ipsec-10.1.1.218
        also=ipsec-local
        leftauth=psk
        right=10.1.1.218
        rightauth=psk
        keyexchange=ikev2
        type=tunnel
        auto=start

*****ifconfig lo:1****
lo:1      Link encap:Local Loopback
          inet addr:*1.1.1.1*  Mask:255.255.255.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1

*****route -n*****
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
0.0.0.0         10.1.1.1    0.0.0.0         UG    0      0        0 br_if
*2.2.2.2         10.1.1.218  255.255.255.255 UGH   0      0        0 br_if*
10.1.1.0        0.0.0.0     255.255.255.0   U     0      0        0 br_if
10.1.1.218      10.1.1.218  255.255.255.255 UGH   0      0        0 br_if



GW_B:

****Config****
conn ipsec-local
        left=10.1.1.218
        esp=aes128-sha256

conn ipsec-10.1.1.216
        also=ipsec-local
        leftauth=psk
        right=10.1.1.216
        rightauth=psk
        keyexchange=ikev2
        type=tunnel
        auto=start

****ifconfig lo:1****
lo:1      Link encap:Local Loopback
          inet addr:*2.2.2.2*  Mask:255.255.255.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1

****route -n****
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
0.0.0.0         10.1.1.1    0.0.0.0         UG    0      0        0 br_if
*1.1.1.1         10.1.1.216  255.255.255.255 UGH   0      0        0 br_if*
10.1.1.0        0.0.0.0     255.255.255.0   U     0      0        0 br_if
10.1.1.216      10.1.1.216  255.255.255.255 UGH   0      0        0 br_if

Logs:
*****

****tcpdump -i br_if esp****

GW_A#ping 10.1.1.218
PING 10.1.1.218 (10.1.1.218) 56(84) bytes of data.
64 bytes from 10.1.1.218: icmp_seq=1 ttl=64 time=1.84 ms
64 bytes from 10.1.1.218: icmp_seq=2 ttl=64 time=0.629 ms

GW_B#tcpdump -i br_if esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br_if, link-type EN10MB (Ethernet), capture size 65535 bytes
00:19:01.098941 IP test.local > test-2.local: ESP(spi=0xc2511019,seq=0x1),
length 136
00:19:01.099243 IP test-2.local > test.local: ESP(spi=0xcd2a2bdb,seq=0x1),
length 136
00:19:02.099627 IP test.local > test-2.local: ESP(spi=0xc2511019,seq=0x2),
length 136
00:19:02.099888 IP test-2.local > test.local: ESP(spi=0xcd2a2bdb,seq=0x2),
length 136

GW_A#ping -I 1.1.1.1 2.2.2.2
PING 2.2.2.2 (2.2.2.2) from 1.1.1.1 : 56(84) bytes of data.
64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=1.42 ms
64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=0.257 ms
64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=0.271 ms

GW_B#tcpdump -i br_if esp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br_if, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel


Regards,
Sarat

On Sat, Jul 23, 2016 at 4:11 PM, Mirko Parthey <mirko.parthey at web.de> wrote:

> On Tue, Jul 05, 2016 at 05:40:43PM +0530, Sarat Vajrapu wrote:
> > I am new to strongswan and trying to protect host-host traffic using
> ipsec
> > tunnel mode. However I observe that only the traffic between endpoints
> are
> > protected and not complete traffic.
> >
> > Topology:
> >
> > <<<<<LAN1>>>> ------- GW_A <---------- internet---------------> GW_B
> > -------------------- <<<<<LAN2>>>>>>
> >
> > [...]
> > Can you please help me with this - any config addition/any change in
> routing
> > table?
>
> Hi Sarat,
>
> Please show us your strongSwan config and gateway routing tables,
> if possible.
>
> Regards,
> Mirko
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160725/b0aff014/attachment.html>


More information about the Users mailing list