[strongSwan] Hub-and-Spoke for road-warrior to tunnel

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Mar 16 08:32:05 CET 2020 

Hello Markus,

Please provide all the information listed on the HelpRequests page[1] the way it is shown next to the specific information
and explain the meaning of these IP addresses and subnets.
It is necessary in order to give you sensible advice.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 16.03.20 um 08:24 schrieb /M:
> Hi,
> 
> I'm currently trying to setup a strongswan-based VPN-network between one office network and some road-warriors.
> Unfortunately the core router of the office does not provide VPN-support yet and forwarding ESP/IKE to an internal host will only be possible in a couple of weeks.
> In the meantime I'd like to provide an temporary solution for mobile access to some parts of our network.
> A quick and dirty idea was to have a secondary gateway in the office (sun) connect to an external server with a public ip (moon) with a tunnel setup.
> The road-warriors (alice) will connect to moon using an ip-pool based setup.
> So far all of the point-to-point connections are working:
> alice -> moon, moon -> alice, (alice -> moon -> INTERNET)
> sun -> moon, moon -> sun
> 
> Right now I'm stuck with figuring out the necessary rules to route packages alice -> sun via moon.
> Maybe just some iptables/xfrm entries, but maybe something else.
> 
> Could you please help?
> 
> Thanks and best regards
> 
> Markus
> 
> ---------------------------------------------------------------
> moon:
> # ipsec.conf - strongSwan IPsec configuration file
> 
> # basic configuration
> 
> config setup
>     strictcrlpolicy=no
> 
> conn office-vpn
>        keyexchange=ikev2
>         esp=aes256-sha1
>         ike=aes256-sha256-modp2048
>         type=tunnel
>         compress=no
>         authby=secret
>         keyingtries=1
>         ikelifetime=30m
>         keylife=10m
>         rekeymargin=3m
>         mobike=no
>         left=<PUBIP_OF_MOON>
>         leftsubnet=172.16.99.0/30
>         leftid=@moon
>         leftfirewall=yes
>         rightsubnet=172.16.20.0/23
>         rightid=@sun
>         auto=route
> 
> conn client-vpn
>         keyexchange=ikev2
>         dpdaction=clear
>         dpddelay=60s
>         left=<PUBIP_OF_MOON>
>         leftid="C=<CERT-DATA>"
>         leftsubnet=0.0.0.0/0
>         leftcert=/etc/ipsec.d/certs/moon.crt
>         leftsendcert=always
>         leftfirewall=yes
>         right=%any
>         rightsourceip=192.168.200.1/27
>         rightauth=pubkey
>         auto=add
> 
> # iptables -L -n
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  192.168.200.1        0.0.0.0/0            policy match dir in pol ipsec reqid 2 proto 50
> ACCEPT     all  --  0.0.0.0/0            192.168.200.1        policy match dir out pol ipsec reqid 2 proto 50
> ACCEPT     all  --  172.16.20.0/23       172.16.99.0/30       policy match dir in pol ipsec reqid 1 proto 50
> ACCEPT     all  --  172.16.99.0/30       172.16.20.0/23       policy match dir out pol ipsec reqid 1 proto 50
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> # iptables -t nat -L -n
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec
> ACCEPT     all  --  192.168.200.0/27     0.0.0.0/0            policy match dir out pol ipsec
> MASQUERADE  all  --  192.168.200.0/27     0.0.0.0/0
> 
> ------------------------------------------
> 
> ------------------------------------------
> sun
> ipsec.conf
> conn office-vpn
>        keyexchange=ikev2
>         esp=aes256-sha1
>         ike=aes256-sha256-modp2048
>         type=tunnel
>         compress=no
>         authby=secret
>         keyingtries=1
>         ikelifetime=30m
>         keylife=10m
>         rekeymargin=3m
>         mobike=no
>         left=%defaultroute
>         leftsubnet=172.16.20.0/23
>         leftid=@sun
>         leftfirewall=yes
>         right=<PUBIP_OF_MOON>
>         rightsubnet=172.16.99.0/30,192.168.200.0/27
>         rightid=@moon
>         auto=start
> ------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200316/7798e09e/attachment.sig>

More information about the Users mailing list