[strongSwan] How to protect all traffic using strongswan?

Sarat Vajrapu saratvajrapu1 at gmail.com
Tue Jul 26 08:48:03 CEST 2016


Hi Mirko,

Thanks for the reply.
Please see my reply inline [Sarat]

Regards,
Sarat

On Mon, Jul 25, 2016 at 6:39 PM, Mirko Parthey <mirko.parthey at web.de> wrote:

> On Mon, Jul 25, 2016 at 03:25:24PM +0530, Sarat Vajrapu wrote:
> > Hi Mirko,
> >
> > Thanks for the reply.
> > I created loopback interface on each gateway and below is the required
> info:
> > [...]
>
> Hi Sarat,
>
> Thank you for posting your configuration.
>
> Please take a look at this example:
>   https://www.strongswan.org/testing/testresults/ikev2/net2net-psk/
> It could be a starting point for you to arrive at a working setup.
>
> But it may not work in your environment because you have an unusual
> network configuration, which we need to understand first.
> That's why I would like to ask you a few more questions.
>
> Where would the machine with IP address 10.1.1.1 be located in your
> diagram?
>
[Sarat]: This is not a public deployed network. I am trying to test the
behavior in my local
lab setup. 10.1.1.1 acts as a middle router.


> I don't see any public IP addresses on your gateways, how do they connect
> to the internet?
>
[Sarat]: This is only a lab setup.


> When a host on LAN1 communicates with the public internet in cleartext,
> is this traffic guaranteed to go through Gateway A?
>
[Sarat]: Ideally, GW_A would have the public IP address and yes all the
traffic
from LAN1 would go through Gateway A only.


> How about communication from LAN1 to LAN2, is it guaranteed to go through
> Gateway A?
>
[Sarat]: Yes


> Do these kinds of traffic enter and leave Gateway A through the same
> interface, br_if?

[Sarat]: Yes

>
> > LAN<> can have many subnets.
> Are there any routers between LAN1 and Gateway A,
> or between LAN2 and Gateway B?
> Can you provide examples of the IP address ranges used in LAN1 and LAN2?
>
[Sarat]: In my case, I really don't want to care about LAN IP addresses. I
want all
traffic going through GW_x to be encrypted/decrypted.

>
> Please provide the output of:
> # ip address show
> # ip route list
> for gateways A and B and for an example host each on LAN1 and LAN2.
>

[Sarat]:
GW_A:~# ip route list
default via 10.1.1.1 dev br_if
2.2.2.2 via 10.1.1.218 dev br_if  proto static
10.1.1.0/24 dev br_if  proto kernel  scope link  src 10.1.1.216
10.1.1.218 via 10.1.1.218 dev br_if  proto static  src 10.1.1.216

GW_B:~# ip route list
default via 10.1.1.1 dev br_if
1.1.1.1 via 10.1.1.216 dev br_if  proto static
10.1.1.0/24 dev br_if  proto kernel  scope link  src 10.1.1.218
10.1.1.216 via 10.1.1.216 dev br_if  proto static  src 10.1.1.218

Since this is a lab setup, I configured IP address for br_if and loopback
only.

>
> > GW_A#ping -I 1.1.1.1 2.2.2.2
> > PING 2.2.2.2 (2.2.2.2) from 1.1.1.1 : 56(84) bytes of data.
> > 64 bytes from 2.2.2.2: icmp_seq=1 ttl=64 time=1.42 ms
> > 64 bytes from 2.2.2.2: icmp_seq=2 ttl=64 time=0.257 ms
> > 64 bytes from 2.2.2.2: icmp_seq=3 ttl=64 time=0.271 ms
>
> For testing your tunnel, please use hosts on LAN1 and LAN2 separate from
> your gateways.
> This ensures you test what you intended and not something else.
>
> [Sarat]: I can give a try but want to understand if the behavior be
different from
loopback setup. The traffic between loopbacks also go from GW_A only.


> If you don't need the 1.1.1.1 and 2.2.2.2 addresses for other purposes,
> please remove them and restore your previous loopback config.
>
[Sarat]: This is only a lab setup.

>
> Regards,
> Mirko
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160726/021c22a9/attachment-0001.html>


More information about the Users mailing list