[strongSwan] Road warriors and site-to-site ping each other

Noel Kuntze noel at familie-kuntze.de
Mon Mar 13 19:17:17 CET 2017 

On 13.03.2017 19:05, Hoggins! wrote:
> ... so if my gateway A keeps 192.168.22.0/24 as its "real" network, but
> gets – let's say – a TS 192.168.33.0/24 == 192.168.55.0/24, my road
> warriors would also be on 192.168.33.0/24 (if configured accordingly, of
> course), and be able to talk to gateway A.

TL;DR:
Nah. You need a second CHILD_SA for 192.168.22.0/24 == 192.168.33.0/24 between
site A and site B

Short diagram time:

Current situation:
site A (192.168.22.0/24) == site B (192.168.55.0/24) == roadwarriors (192.168.33.0/24)

site A == site B: 192.168.22.0/24 == 192.168.55.0/24 

site B == roadwarriors: 192.168.55.0/24 == 192.168.33.0/24

The tunnel between site A and B doesn't protect traffic between 192.168.22.0/24 == 192.168.33.0/24


You need to build a second CHILD_SA that protects traffic between site a and b
for the traffic 192.168.22.0/24 == 192.168.33.0/24, because the one you currently have
just protects 192.168.22.0/24 == 192.168.55.0/24.

Think in IP subnets, not broadcast domains.


> 
> Now... (as you understood from my previous messages, there are many
> basic things that I don't know)

Oh boy, this is going to take a while then.

> I would like my road warriors on 192.168.33.0/24 to contact hosts on
> 192.168.22.0/24 and vice-versa. Can I do this by adding the
> 192.168.22.0/24 subnet somewhere ? Like
> leftsubnet=192.168.22.0/24,192.168.33.0/24 on host A (but then, how will
> the dynamic IP address will be chosen amongst these two networks ?
> Should I order the declarations so that the first one is the one in
> which the dyn IP will be attributed ?), and
> rightsubnet=192.168.22.0/24,192.168.33.0/24,192.168.55.0/24 or something
> like that ?

Err, no.
You need to tell strongswan which subnets are local and which are remote.
For site A, 192.168.22.0/24 is local, 192.168.33.0/24 and 192.168.55.0/24 are reachable over site B.
For site B, 192.168.55.0/24 is local, 192.168.22.0/24 is reachable over site A and roadwarriors are attached
    with several tunnels (probably many tunnels to some single hosts in 192.168.33.0/24, 
    like 192.168.33.1/32, 192.168.33.2/32)
For roadwarriors, their virtual IP is local, 192.168.22.0/24 and 192.168.55.0/24 are reachable over site B (if you want to enable roadwarriors
    to reach other roadwarriors, you have to tell them too, that 192.168.33.0/24 is reachable over site B)


> 
> Don't judge me, I'm playing with things I don't understand well.
> 

> Thanks anyway for all this help.
> 
>     Hoggins!
> 

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170313/29be67b7/attachment.sig>

More information about the Users mailing list