[strongSwan] Hub-and-Spoke for road-warrior to tunnel
/M
hs2013 at sledge-it.net
Mon Mar 16 08:24:41 CET 2020
Hi,
I'm currently trying to setup a strongswan-based VPN-network between one
office network and some road-warriors.
Unfortunately the core router of the office does not provide VPN-support
yet and forwarding ESP/IKE to an internal host will only be possible in
a couple of weeks.
In the meantime I'd like to provide an temporary solution for mobile
access to some parts of our network.
A quick and dirty idea was to have a secondary gateway in the office
(sun) connect to an external server with a public ip (moon) with a
tunnel setup.
The road-warriors (alice) will connect to moon using an ip-pool based setup.
So far all of the point-to-point connections are working:
alice -> moon, moon -> alice, (alice -> moon -> INTERNET)
sun -> moon, moon -> sun
Right now I'm stuck with figuring out the necessary rules to route
packages alice -> sun via moon.
Maybe just some iptables/xfrm entries, but maybe something else.
Could you please help?
Thanks and best regards
Markus
---------------------------------------------------------------
moon:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
strictcrlpolicy=no
conn office-vpn
keyexchange=ikev2
esp=aes256-sha1
ike=aes256-sha256-modp2048
type=tunnel
compress=no
authby=secret
keyingtries=1
ikelifetime=30m
keylife=10m
rekeymargin=3m
mobike=no
left=<PUBIP_OF_MOON>
leftsubnet=172.16.99.0/30
leftid=@moon
leftfirewall=yes
rightsubnet=172.16.20.0/23
rightid=@sun
auto=route
conn client-vpn
keyexchange=ikev2
dpdaction=clear
dpddelay=60s
left=<PUBIP_OF_MOON>
leftid="C=<CERT-DATA>"
leftsubnet=0.0.0.0/0
leftcert=/etc/ipsec.d/certs/moon.crt
leftsendcert=always
leftfirewall=yes
right=%any
rightsourceip=192.168.200.1/27
rightauth=pubkey
auto=add
# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.200.1 0.0.0.0/0 policy
match dir in pol ipsec reqid 2 proto 50
ACCEPT all -- 0.0.0.0/0 192.168.200.1 policy
match dir out pol ipsec reqid 2 proto 50
ACCEPT all -- 172.16.20.0/23 172.16.99.0/30 policy
match dir in pol ipsec reqid 1 proto 50
ACCEPT all -- 172.16.99.0/30 172.16.20.0/23 policy
match dir out pol ipsec reqid 1 proto 50
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 policy
match dir out pol ipsec
ACCEPT all -- 192.168.200.0/27 0.0.0.0/0 policy
match dir out pol ipsec
MASQUERADE all -- 192.168.200.0/27 0.0.0.0/0
------------------------------------------
------------------------------------------
sun
ipsec.conf
conn office-vpn
keyexchange=ikev2
esp=aes256-sha1
ike=aes256-sha256-modp2048
type=tunnel
compress=no
authby=secret
keyingtries=1
ikelifetime=30m
keylife=10m
rekeymargin=3m
mobike=no
left=%defaultroute
leftsubnet=172.16.20.0/23
leftid=@sun
leftfirewall=yes
right=<PUBIP_OF_MOON>
rightsubnet=172.16.99.0/30,192.168.200.0/27
rightid=@moon
auto=start
------------------------------------------
More information about the Users
mailing list