[strongSwan] Host to Network IPSec PSK Vpn tunnel

Muhammad Yousuf Khan sirtcp at gmail.com
Fri Mar 17 17:50:34 CET 2017


Noel. thanks alot i really appreciate your help.
one last question is even if we create the tunnel from the VM to the remote
firewall.

here is our diagram
VM[public IP]-----------------------[public IP]ASA
firewall----------------------[computer]

what ip should we use to acess the VM by a computer behind the firewall.
would it be public IP address of the VM?

sorry if you find it a very layman or a stupid question actually the
problem is i have a concept of Openvpn and other VPN services like pptp.
l2tp and others. they all use virtual IPs which is called a tunnel IP to
connect through the system however in IPsec it works differently. there is
no tunnel IP except the policy when matches it enrypt the traffic.
now the point is we haven't share the encryption domain in configuration
and when there is no encrypting and public ip is the only accessing option.
so let say if i want to access port application on VM on Port 3389 (just
assume) then should i access it through public IP. will the traffic be
encrypted  from source second there will be Iptable firewall in VPN. so
would strongswan bypass the traffic through firewall.

Thanks,
Yousuf

On Thu, Mar 16, 2017 at 11:50 PM, Noel Kuntze <noel at familie-kuntze.de>
wrote:

> That will work if there's no NAT in between the hosts. Otherwise the
> proposed TSi and TSr will not match,
> because the perceived remote peer's IP will be different from what it
> proposes as TS.
>
> On 16.03.2017 19:37, Muhammad Yousuf Khan wrote:
> > Thanks you for your input  Noel. it is really appreciated.
> > So you mean i delete leftsubnet parameter thats is sufficient and tunnel
> will work.
> >
> > Thanks,
> > Yousuf
> >
> > On Thu, Mar 16, 2017 at 10:36 PM, Noel Kuntze <noel at familie-kuntze.de
> <mailto:noel at familie-kuntze.de>> wrote:
> >
> >     On 16.03.2017 07:29, Muhammad Yousuf Khan wrote:
> >     >
> >     > There is a requriment from our client that we need a ipsec tunnel
> for communication.
> >     > as per our experience with Openvpn we can do that very easily
> however IPsec works very differently therefore i need your assistence.
> >
> >     Policy based IPsec (which is used by default with strongswan)
> doesn't require special network devices.
> >     Traffic is protected transparently on the physical interface.
> There's no problem with routing.
> >
> >     > now here is the confusion part leftsubnet is technically called
> encryption domain in Cisco.
> >     > so how come my public IP of a cloud VM can be in both role as
> remote peer and encryption domain? this is very confusing part.
> >
> >     IKE packets are excepted from IPsec processing. Anything else is
> subject to it. It works without adding special routes
> >     to the routing table(s).
> >
> >
> >     --
> >
> >     Mit freundlichen Grüßen/Kind Regards,
> >     Noel Kuntze
> >
> >     GPG Key ID: 0x63EC6658
> >     Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> >
> >
> >
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170317/aee8018a/attachment.html>


More information about the Users mailing list