[strongSwan] is my tunnel working and how to set up NAT
Geert Geurts
geert at verweggistan.eu
Thu May 12 16:10:17 CEST 2016
Hallo List,
I want to create a rw setup for my VPS.
All seems to work correctly, but on the gateway side "ip -s xfrm
policy" and "is -s xfrm state" remain empty.
Let me explain in a step by step order:
1) installed strongswan-5.3.2-1.el7.x86_64 on a centos 7.2 VPS.
2) made a ipsec.conf:
config setup
conn %default
keyexchange=ikev2
left=AA.BB.78.161
leftsubnet=10.1.0.0/24
leftsourceip = 10.1.0.254
leftdns=10.1.0.254
leftcert=AA.BBCert.pem
leftfirewall=yes
right=%any
mobike=yes
fragmentation = yes
lefthostaccess = yes
dpdaction = clear
closeaction = clear
conn rw-ZZ
rightid="C=DE, O=strongSwan, CN=someone at domain.de"
rightcert=ZZCert.pem
rightsourceip=10.1.0.2
rightsubnet=10.1.0.0/24
auto=add
conn rw-DD
rightid="C=DE, O=strongSwan, CN=someonelse at domain.de"
rightcert=DDCert.pem
rightsourceip=10.1.0.1
rightsubnet=10.1.0.0/24
auto=add
3) install strongswan-5.3.2-1.el7.x86_64,NetworkManager-strongswan-gnome-1.3.1-1.el7.x86_64,strongswan-charon-nm-5.3.2-1.el7.x86_64
and NetworkManager-strongswan-1.3.1-1.el7.x86_64 on a centos 7.2
roadwarior laptop
4) initiate a nm strongswan connection to my VPS
* all works fine, I can ping 10.1.0.254, ssh to 10.1.0.254 and end up
at VPS side. A ip -s xfrm state gives
src CUR_IP dst AA.BB.78.161
...
...
src AA.BB.78.161 dst CUR_IP dst
...
...
Just like it shows in the examples from the strongswan website.
But on the gateway side, the VPS machine with ip AA.BB.78.161 doesn't
give any output from the command ip -s xfrm state or policy...
Although I can ping virtual ips of roadwariors...
Does this mean encryption only goes oneway?? What am I doing wrong here?
Second question.
I want to be able to use the gateway as default route so I can tunnel
all my traffic from roadwariors, but not necessarily... so sometimes I
want to manually add a route to AA.BB.78.161 and change the default
route to AA.BB.78.161, but otherwise just use the tunnel for traffic
to the virtual ip 10.1.0.254.
What kind of iptables rules are needed for this on the gateway side?
Thanks for any help!!
Best regards,
Geert
More information about the Users
mailing list