[strongSwan] Client access to DNS service running on same host as strongSwan server
Dan Vee
sendmaildevnull at gmail.com
Sat Oct 7 00:27:49 CEST 2017
Anvar, thank you so much! This works perfectly.
On Fri, Oct 6, 2017 at 3:20 PM Anvar Kuchkartaev <anvar at anvartay.com> wrote:
> The best practice is creating dummy virtual interface and assign ip
> address to it and use it as dns server ip address.
>
> modprobe dummy
> ip link set dummy0 up
> ifconfig dummy0 1.1.1.1/32
>
> Now you can use it as internal ip address of dns server (you might change
> 1.1.1.1 with other ip address according to your network planning).
>
> Anvar Kuchkartaev
> anvar at anvartay.com
> *From: *Dan Vee
> *Sent: *sábado, 7 de octubre de 2017 12:01 a.m.
> *To: *users at lists.strongswan.org
> *Subject: *[strongSwan] Client access to DNS service running on same host
> as strongSwan server
>
> Hi,
>
> I currently have strongSwan server setup on a VPS host, and I'm also
> running an adblocking DNS server (not exposed to internet) on this same
> host. The server only has one interface and it has a public IP address
> (e.g. 1.2.3.4). I'd like to configure strongSwan to hand out a DNS address
> (for this local DNS server) for any clients that connect. I have two
> problems:
> * I don't know how to make the DNS service running on the same VPS host
> accessible to the connecting client. My client has a virtual IP (e.g.
> 10.20.30.1) and not sure how I can communicate directly with a service
> running locally on this VPS host.
> * I don't know what IP I should I pass back to the client for this DNS
> address. I have no private IP address on this server. Should I return the
> public IP address for the server?
>
>
> Server config
> ------------------------------------
> config setup
> uniqueids=never
> charondebug="cfg 2, dmn 2, ike 2, net 2"
> conn %default
> keyexchange=ike
> dpdaction=clear
> dpddelay=300s
> rekey=no
> left=%any
> leftca=ca.cert.pem
> leftcert=server.cert.pem
> leftsubnet=0.0.0.0/0
> right=%any
> rightdns=????
> rightsourceip=10.20.30.0/24
> rightsubnets=192.168.3.0/24
> conn IPSec-IKEv2
> keyexchange=ikev2
> ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
> esp=aes256-sha256,3des-sha1,aes256-sha1!
> leftid="1.2.3.4"
> leftsendcert=always
> leftauth=pubkey
> rightauth=pubkey
> rightid="client at 1.2.3.4"
> rightcert=client.cert.pem
> auto=add
>
> Any help would be greatly appreciated. Thanks!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171006/b0d681a3/attachment-0001.html>
More information about the Users
mailing list