[strongSwan] is my tunnel working and how to set up NAT

Geert Geurts geert at verweggistan.eu
Thu May 12 16:10:17 CEST 2016


Hallo List,
I want to create a rw setup for my VPS.
All seems to work correctly, but on the gateway side "ip -s xfrm
policy" and "is -s xfrm state" remain empty.
Let me explain in a step by step order:
1) installed strongswan-5.3.2-1.el7.x86_64 on a centos 7.2 VPS.

2) made a ipsec.conf:
config setup
conn %default
        keyexchange=ikev2
        left=AA.BB.78.161
        leftsubnet=10.1.0.0/24
        leftsourceip = 10.1.0.254
        leftdns=10.1.0.254
        leftcert=AA.BBCert.pem
        leftfirewall=yes
        right=%any
        mobike=yes
        fragmentation = yes
        lefthostaccess = yes
        dpdaction = clear
        closeaction = clear


conn rw-ZZ
        rightid="C=DE, O=strongSwan, CN=someone at domain.de"
        rightcert=ZZCert.pem
        rightsourceip=10.1.0.2
        rightsubnet=10.1.0.0/24
        auto=add

conn rw-DD
        rightid="C=DE, O=strongSwan, CN=someonelse at domain.de"
        rightcert=DDCert.pem
        rightsourceip=10.1.0.1
        rightsubnet=10.1.0.0/24
        auto=add

3) install strongswan-5.3.2-1.el7.x86_64,NetworkManager-strongswan-gnome-1.3.1-1.el7.x86_64,strongswan-charon-nm-5.3.2-1.el7.x86_64
and NetworkManager-strongswan-1.3.1-1.el7.x86_64 on a centos 7.2
roadwarior laptop

4) initiate a nm strongswan connection to my VPS

* all works fine, I can ping 10.1.0.254, ssh to 10.1.0.254 and end up
at VPS side. A ip -s xfrm state gives
src CUR_IP dst AA.BB.78.161
 ...
...
src AA.BB.78.161 dst CUR_IP dst
...
...

Just like it shows in the examples from the strongswan website.
But on the gateway side, the VPS machine with ip AA.BB.78.161 doesn't
give any output from the command ip -s xfrm state or policy...
Although I can ping virtual ips of roadwariors...
Does this mean encryption only goes oneway?? What am I doing wrong here?

Second question.
I want to be able to use the gateway as default route so I can tunnel
all my traffic from roadwariors, but not necessarily... so sometimes I
want to manually add a route to AA.BB.78.161 and change the default
route to AA.BB.78.161, but otherwise just use the tunnel for traffic
to the virtual ip 10.1.0.254.
What kind of iptables rules are needed for this on the gateway side?

Thanks for any help!!

Best regards,
Geert


More information about the Users mailing list