[strongSwan] How to bridge two IPsec tunnels on strongswan server?

Tu Robin peyoot at hotmail.com
Thu Nov 26 10:27:24 CET 2020 

I have a strongswan server which have public IP address and also connected to intranet with Wifi

 roadwarrior    ---internet---   A:   eth0:101.231.59.88;wlo1: 192.168.1.1   ------wifi router----  B: 10.10.8.229


A has a public IP in eth0, so roadwarrior can setup tunnel to it. I call this tunnel as bridge-vpn.
And also A can setup a tunnel to B, I name it as pvpn.
my goal is to let roadwarrior to be able to ping B via these two tunnels.  although ipsec can be set up one by one. but couldn't make them work together. once  A to B tunnel is up, the roadwarrior to A tunnel seems not work anymore. Anything I missing?


A's ipsec.conf :

config setup
  # strictcrlpolicy=yes
  # uniqueids=no
conn %default
  keyexchange=ikev2
conn pvpn
  left=%defaultroute
  leftid=@ip88
  leftcert=ip88cert.pem
  leftsourceip=%config
  leftfirewall=yes
  right=10.10.8.229
  rightid=@server
  rightsubnet=0.0.0.0/0
  auto=add
conn bridge-vpn
 leftsubnet=0.0.0.0/0
  keyexchange=ikev2
  ike=aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024
  esp=aes256-sha256,3des-sha1,aes256-sha1
  rekey=no
  leftauth=pubkey
  leftcert=ip70cert.pem
  leftsendcert=always
  rightauth=eap-mschapv2
  rightsendcert=never
  rightsourceip=10.100.102.0/24
  rightsubnet=10.100.102.0/24
  eap_identity=%any
  fragmentation=yes
  rightdns=1.1.1.1
  auto=route
conn local-net
  leftsubnet=101.231.59.88/28,192.168.1.1/24
  rightsubnet=101.231.59.88/28,192.168.1.1/24
  authby=never
  type=pass
  auto=route

Also enable nat in A to foward roadwarrior trafic to wifi interface:
sudo iptables -t nat -A POSTROUTING -o wlo1 -s 10.100.102.0/24 -j MASQUERADE

Anything I missing? or there's other tricks I need to do?
My guess is that roadwarrior traffic will go to pvpn tunnel because of pvpn's rightsubnet=0.0.0.0/0, but the package coudn't feedback to bridge-vpn , But don't know how to fix it.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201126/357873e0/attachment.html>

More information about the Users mailing list