[strongSwan] How to protect all traffic using strongswan?

Mirko Parthey mirko.parthey at web.de
Mon Jul 25 15:09:24 CEST 2016


On Mon, Jul 25, 2016 at 03:25:24PM +0530, Sarat Vajrapu wrote:
> Hi Mirko,
> 
> Thanks for the reply.
> I created loopback interface on each gateway and below is the required info:
> [...]

Hi Sarat,

Thank you for posting your configuration.

Please take a look at this example:
  https://www.strongswan.org/testing/testresults/ikev2/net2net-psk/
It could be a starting point for you to arrive at a working setup.

But it may not work in your environment because you have an unusual
network configuration, which we need to understand first.
That's why I would like to ask you a few more questions.

Where would the machine with IP address 10.1.1.1 be located in your diagram?
I don't see any public IP addresses on your gateways, how do they connect
to the internet?
When a host on LAN1 communicates with the public internet in cleartext,
is this traffic guaranteed to go through Gateway A?
How about communication from LAN1 to LAN2, is it guaranteed to go through
Gateway A?
Do these kinds of traffic enter and leave Gateway A through the same
interface, br_if?

> LAN<> can have many subnets.
Are there any routers between LAN1 and Gateway A,
or between LAN2 and Gateway B?
Can you provide examples of the IP address ranges used in LAN1 and LAN2?

Please provide the output of:
# ip address show
# ip route list
for gateways A and B and for an example host each on LAN1 and LAN2.

> GW_A#ping -I 1.1.1.1 2.2.2.2
> PING 2.2.2.2 (2.2.2.2) from 1.1.1.1 : 56(84) bytes of data.
> 64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=1.42 ms
> 64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=0.257 ms
> 64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=0.271 ms

For testing your tunnel, please use hosts on LAN1 and LAN2 separate from
your gateways.
This ensures you test what you intended and not something else.

If you don't need the 1.1.1.1 and 2.2.2.2 addresses for other purposes,
please remove them and restore your previous loopback config.

Regards,
Mirko


More information about the Users mailing list