[strongSwan] Road warriors and site-to-site ping each other

Hoggins! hoggins at radiom.fr
Tue Mar 14 09:45:28 CET 2017


Thank you !

I'm currently using a solution from a third-party provider, and there
are not many things I can configure on gateway B (like adding CHILD_SAs,
for example).
I'll go with my own implementation of Strongswan for a better control
over the configuration.

Thanks !

    Hoggins!

Le 13/03/2017 à 19:17, Noel Kuntze a écrit :
> On 13.03.2017 19:05, Hoggins! wrote:
>> ... so if my gateway A keeps 192.168.22.0/24 as its "real" network, but
>> gets – let's say – a TS 192.168.33.0/24 == 192.168.55.0/24, my road
>> warriors would also be on 192.168.33.0/24 (if configured accordingly, of
>> course), and be able to talk to gateway A.
> TL;DR:
> Nah. You need a second CHILD_SA for 192.168.22.0/24 == 192.168.33.0/24 between
> site A and site B
>
> Short diagram time:
>
> Current situation:
> site A (192.168.22.0/24) == site B (192.168.55.0/24) == roadwarriors (192.168.33.0/24)
>
> site A == site B: 192.168.22.0/24 == 192.168.55.0/24 
>
> site B == roadwarriors: 192.168.55.0/24 == 192.168.33.0/24
>
> The tunnel between site A and B doesn't protect traffic between 192.168.22.0/24 == 192.168.33.0/24
>
>
> You need to build a second CHILD_SA that protects traffic between site a and b
> for the traffic 192.168.22.0/24 == 192.168.33.0/24, because the one you currently have
> just protects 192.168.22.0/24 == 192.168.55.0/24.
>
> Think in IP subnets, not broadcast domains.
>
>
>> Now... (as you understood from my previous messages, there are many
>> basic things that I don't know)
> Oh boy, this is going to take a while then.
>
>> I would like my road warriors on 192.168.33.0/24 to contact hosts on
>> 192.168.22.0/24 and vice-versa. Can I do this by adding the
>> 192.168.22.0/24 subnet somewhere ? Like
>> leftsubnet=192.168.22.0/24,192.168.33.0/24 on host A (but then, how will
>> the dynamic IP address will be chosen amongst these two networks ?
>> Should I order the declarations so that the first one is the one in
>> which the dyn IP will be attributed ?), and
>> rightsubnet=192.168.22.0/24,192.168.33.0/24,192.168.55.0/24 or something
>> like that ?
> Err, no.
> You need to tell strongswan which subnets are local and which are remote.
> For site A, 192.168.22.0/24 is local, 192.168.33.0/24 and 192.168.55.0/24 are reachable over site B.
> For site B, 192.168.55.0/24 is local, 192.168.22.0/24 is reachable over site A and roadwarriors are attached
>     with several tunnels (probably many tunnels to some single hosts in 192.168.33.0/24, 
>     like 192.168.33.1/32, 192.168.33.2/32)
> For roadwarriors, their virtual IP is local, 192.168.22.0/24 and 192.168.55.0/24 are reachable over site B (if you want to enable roadwarriors
>     to reach other roadwarriors, you have to tell them too, that 192.168.33.0/24 is reachable over site B)
>
>
>> Don't judge me, I'm playing with things I don't understand well.
>>
>> Thanks anyway for all this help.
>>
>>     Hoggins!
>>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170314/4bb6b216/attachment.sig>


More information about the Users mailing list