[strongSwan] How to protect all traffic using strongswan?
mirko.parthey at web.de
Tue Jul 26 13:52:49 CEST 2016
On Tue, Jul 26, 2016 at 12:18:03PM +0530, Sarat Vajrapu wrote:
> [Sarat]: This is only a lab setup.
Yes, good idea to try this in the lab first.
> When a host on LAN1 communicates with the public internet in cleartext,
> is this traffic guaranteed to go through Gateway A?
> [Sarat]: Ideally, GW_A would have the public IP address and yes all the
> from LAN1 would go through Gateway A only.
This is good for a first setup, makes things easier.
> How about communication from LAN1 to LAN2, is it guaranteed to go through
> Gateway A?
> [Sarat]: Yes
> Do these kinds of traffic enter and leave Gateway A through the same
> interface, br_if?
> [Sarat]: Yes
While this can work, I would not recommend it for a start.
Instead, I would give Gateway A two interfaces, not bridged,
but given IP addresses in different subnets, as in the example.
This makes diagnosing problems easier.
The same applies to Gateway B.
Don't forget to enable IP forwarding.
> > LAN<> can have many subnets.
> Are there any routers between LAN1 and Gateway A,
> or between LAN2 and Gateway B?
> Can you provide examples of the IP address ranges used in LAN1 and LAN2?
> [Sarat]: In my case, I really don't want to care about LAN IP addresses.
> I want all traffic going through GW_x to be encrypted/decrypted.
IPsec requires you to care, by its design.
The example will stop working for the LAN hosts if you remove leftsubnet
and rightsubnet from the config.
Since your requirements are mostly left open, I cannot say much here.
Scattered address spaces can sometimes be handled with route aggregation
> GW_A:~# ip route list
> 188.8.131.52 via 10.1.1.218 dev br_if proto static
> GW_B:~# ip route list
> 184.108.40.206 via 10.1.1.216 dev br_if proto static
> Since this is a lab setup, I configured IP address for br_if and loopback
You have 220.127.116.11 and 18.104.22.168 on br_if, not on the loopback device
as I had understood before. br_if is good.
> > GW_A#ping -I 22.214.171.124 126.96.36.199
> > PING 188.8.131.52 (184.108.40.206) from 220.127.116.11 : 56(84) bytes of data.
> > 64 bytes from 18.104.22.168: icmp_seq=1 ttl=64 time=1.42 ms
> > 64 bytes from 22.214.171.124: icmp_seq=2 ttl=64 time=0.257 ms
> > 64 bytes from 126.96.36.199: icmp_seq=3 ttl=64 time=0.271 ms
> For testing your tunnel, please use hosts on LAN1 and LAN2 separate from
> your gateways.
> This ensures you test what you intended and not something else.
> [Sarat]: I can give a try but want to understand if the behavior be different
> loopback setup. The traffic between loopbacks also go from GW_A only.
Here is my advice:
Please reproduce the example I pointed out to you in your lab -
exactly, without modifications.
You can leave out winnetou if you don't need it.
No need for lots of hardware, you can use virtual machines.
Now you should have a working setup.
Modify it in small steps. Test after each modification.
When it stops working, fix it.
Do this until you arrive at a setup which will meet your requirements.
If you find that's not possible, you may have to reconsider
your requirements or your approach.
More information about the Users