[strongSwan] How to protect all traffic using strongswan?

Mirko Parthey mirko.parthey at web.de
Tue Jul 26 13:52:49 CEST 2016

On Tue, Jul 26, 2016 at 12:18:03PM +0530, Sarat Vajrapu wrote:
> [Sarat]: This is only a lab setup.

Yes, good idea to try this in the lab first.

>     When a host on LAN1 communicates with the public internet in cleartext,
>     is this traffic guaranteed to go through Gateway A?
> [Sarat]: Ideally, GW_A would have the public IP address and yes all the
> traffic 
> from LAN1 would go through Gateway A only.

This is good for a first setup, makes things easier.

>     How about communication from LAN1 to LAN2, is it guaranteed to go through
>     Gateway A?
> [Sarat]: Yes

Also good.

>     Do these kinds of traffic enter and leave Gateway A through the same
>     interface, br_if?
> [Sarat]: Yes 

While this can work, I would not recommend it for a start.
Instead, I would give Gateway A two interfaces, not bridged,
but given IP addresses in different subnets, as in the example.
This makes diagnosing problems easier.
The same applies to Gateway B.
Don't forget to enable IP forwarding.

>     > LAN<> can have many subnets.
>     Are there any routers between LAN1 and Gateway A,
>     or between LAN2 and Gateway B?
>     Can you provide examples of the IP address ranges used in LAN1 and LAN2?
> [Sarat]: In my case, I really don't want to care about LAN IP addresses.
> I want all traffic going through GW_x to be encrypted/decrypted.

IPsec requires you to care, by its design.
The example will stop working for the LAN hosts if you remove leftsubnet
and rightsubnet from the config.

Since your requirements are mostly left open, I cannot say much here.
Scattered address spaces can sometimes be handled with route aggregation

> [Sarat]:
> GW_A:~# ip route list
> via dev br_if  proto static 
> GW_B:~# ip route list
> via dev br_if  proto static 
> Since this is a lab setup, I configured IP address for br_if and loopback
> only. 

You have and on br_if, not on the loopback device
as I had understood before. br_if is good.

>     > GW_A#ping -I
>     > PING ( from : 56(84) bytes of data.
>     > 64 bytes from icmp_seq=1 ttl=64 time=1.42 ms
>     > 64 bytes from icmp_seq=2 ttl=64 time=0.257 ms
>     > 64 bytes from icmp_seq=3 ttl=64 time=0.271 ms
>     For testing your tunnel, please use hosts on LAN1 and LAN2 separate from
>     your gateways.
>     This ensures you test what you intended and not something else.
> [Sarat]: I can give a try but want to understand if the behavior be different
> from
> loopback setup. The traffic between loopbacks also go from GW_A only.

Here is my advice:
Please reproduce the example I pointed out to you in your lab -
exactly, without modifications.
You can leave out winnetou if you don't need it.
No need for lots of hardware, you can use virtual machines.
Now you should have a working setup.

Modify it in small steps. Test after each modification.
When it stops working, fix it.
Do this until you arrive at a setup which will meet your requirements.
If you find that's not possible, you may have to reconsider
your requirements or your approach.


More information about the Users mailing list