[strongSwan] Routing between two remote sites

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Tue Jan 25 09:06:24 CET 2022


Hello VTwin

This is a classic Hub-n-Spoke VPN Topology, where
- Central-Gw is the Hub-Ipsec-PeerGw, and
- East and West Gws are the Spoke-Gw peers
- And you need the local-subnets behind each spoke to communicate not only
to subnets behind Central-Gw, BUT also require that the the spoke-to-spoke
ipsec traffic be routed via the Central-HubGw

So request you to kindly please try out the attached 2 sample configs for
your deployment.
Personally i prefer the Sample2 configs

Hope this info helps

regards
Rajiv



On Tue, Jan 25, 2022 at 1:09 PM Michael Schwartzkopff <ms at sys4.de> wrote:

> On 25.01.22 03:13, VTwin Farriers wrote:
> > If I try to add 10.128.0.0/16 to the configuration for East <=>
> Central, I get:
> >
> > received TS_UNACCEPTABLE notify, no CHILD_SA built
> > failed to establish CHILD_SA, keeping IKE_SA
> >
> > when I attempt to bring up the connection.
> >
> > This seems to be related to the fact there is no interface or route on
> Central which is on the 10.128.0.0 subnet, 10.128.0.0/16 traffic is
> passed to West via the West<=>Central ipsec link.
> >
> > swanctl.conf:
> >
> > connections {
> > EastCentral {
> > version=2
> > local_addrs=a.b.c.d
> > proposals=aes256-sha1-modp1024, default
> > local-0 {
> > auth = psk
> > }
> > remote-0 {
> > auth = psk
> > }
> > remote_addrs=w.x.y.z
> > children {
> > EastCentral {
> > esp_proposals=aes256-sha1, default
> > dpd_action=restart
> > local_ts=10.0.0.0/16
> > remote_ts=10.64.0.0/16,10.128.0.0/16
> >
> > }
> > }
> > }
> > }
> > secrets {
> > ike-w.x.y.za.b.c.d {
> > secret = "SantizedForYourProtection"
> > id-1=w.x.y.z
> > id-0=a.b.c.d
> > }
> > }
>
>
> do you have the 10.128.0.0/16 configured on the central gateway as a
> local_ts for the connection to east?
>
>
> Mit freundlichen Grüßen,
>
> --
>
> [*] sys4 AG
>
> https://sys4.de, +49 (89) 30 90 46 64
> Schleißheimer Straße 26/MG,80333 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
> Aufsichtsratsvorsitzender: Florian Kirstein
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220125/9d075f04/attachment-0001.html>
-------------- next part --------------

==================================================
Sample1 Hub-n-Spoke VPN Topology using Swanctl 
=================================================


Issue/Problem Statement:

I have 3 sites, East, Central, and West

Their subnets are 10.0.0.0/16, 10.64.0.0/16 and 10.128.0.0/16 respectively.

Both East and West connect directly to Central and route traffic between Central and each of the remote sites. e.g. both 10.0 and 10.128 can both talk to all machines on 10.64 and vice versa.

I cannot, however, figure out how teach 10.0 to route traffic to 10.128 through 10.64, so East and West can talk to each other's subnets. 

I cannot establish a link directly between East and West, they have to go through Central.

(this is running on Centos 8.5, all 3 sites.)


====================================================

Pre-requisites/Assumptions:

east-gw public/wan ipaddr is: a.b.c.d
central-gw public/wan ipaddr is: w.x.y.z
west-gw public/wan ipaddr is: p.q.r.s
-------------------------------------------------------



Sample1 Configs on each of the PeerGws:

------------
On EAST:
----------
Assumptions:
east-gw public/wan ipaddr is: a.b.c.d
central-gw public/wan ipaddr is: w.x.y.z


swanctl.conf:

connections {
 EastCentral {
  version=2
  local_addrs=a.b.c.d
  proposals=aes256-sha1-modp1024, default
  local-0 {
   id = eastcentral.test.local
   auth = psk
  }
  remote-0 {
   id = centraleast.test.local
   auth = psk
  }
  remote_addrs=w.x.y.z
  children {
   EastCentral {
    esp_proposals=aes256-sha1, default
    dpd_action=restart
    local_ts=10.0.0.0/16
    remote_ts=10.64.0.0/16,10.128.0.0/16
   }
  }
 }
}
secrets {
 ike0 {
         id = eastcentral.test.local
         secret = "ThisPSKusedfortunnelbetweenEASTCENTRAL"
     }
 ike1 {
         id = centraleast.test.local
         secret = "ThisPSKusedfortunnelbetweenEASTCENTRAL"
    }
}

##########################################################################


------------
On WEST GW:
----------
Assumptions:
west-gw public/wan ipaddr is: p.q.r.s
central-gw public/wan ipaddr is: w.x.y.z


swanctl.conf:

connections {
 WestCentral {
  version=2
  local_addrs=p.q.r.s
  proposals=aes256-sha1-modp1024, default
  local-1 {
   id = westcentral.test.local
   auth = psk
  }
  remote-1 {
   id = centralwest.test.local
   auth = psk
  }
  remote_addrs=w.x.y.z
  children {
   WestCentral {
    esp_proposals=aes256-sha1, default
    dpd_action=restart
    local_ts=10.128.0.0/16
    remote_ts=10.64.0.0/16,10.0.0.0/16
   }
  }
 }
}
secrets {
 ike2 {
         id = westcentral.test.local
         secret = "ThisPSKusedfortunnelbetweenWESTCENTRAL"
     }
 ike3 {
         id = centralwest.test.local
         secret = "ThisPSKusedfortunnelbetweenWESTCENTRAL"
    }
}

#############################################################################


-----------------
On CENTRAL GW
----------------
Assumptions:
east-gw public/wan ipaddr is: a.b.c.d
central-gw public/wan ipaddr is: w.x.y.z
west-gw public/wan ipaddr is: p.q.r.s




swanctl.conf:

connections {
 
 CentralEast {
  version=2
  local_addrs=w.x.y.z
  proposals=aes256-sha1-modp1024, default
  local-0 {
   id = centraleast.test.local
   auth = psk
  }
  remote-0 {
   id = eastcentral.test.local
   auth = psk
  }
  remote_addrs=a.b.c.d  
 }
  

 CentralWest {
  version=2
  local_addrs=w.x.y.z
  proposals=aes256-sha1-modp1024, default
  local-1 {
   id = centralwest.test.local
   auth = psk
  }
  remote-1 {
   id = westcentral.test.local
   auth = psk
  }
  remote_addrs=p.q.r.s  
 }

  
children {
   
   CentralEast {
    esp_proposals=aes256-sha1, default
    dpd_action=restart
    local_ts=10.64.0.0/16,10.128.0.0/16
    remote_ts=10.0.0.0/16
   }
  
   CentralWest {
    esp_proposals=aes256-sha1, default
    dpd_action=restart
    local_ts=10.64.0.0/16,10.0.0.0/16
    remote_ts=10.128.0.0/16
   }
}
}

secrets {
 ike4 {
         id = centraleast.test.local
         secret = "ThisPSKusedfortunnelbetweenEASTCENTRAL"
     }
 ike5 {
         id = eastcentral.test.local
         secret = "ThisPSKusedfortunnelbetweenEASTCENTRAL"
    }
 
 ike6 {
         id = centralwest.test.local
         secret = "ThisPSKusedfortunnelbetweenWESTCENTRAL"
     }
 ike7 {
         id = westcentral.test.local
         secret = "ThisPSKusedfortunnelbetweenWESTCENTRAL"
    }
}


##############################################################################





-------------- next part --------------

==================================================
Sample2 Hub-n-Spoke VPN Topology using Swanctl 
=================================================


Issue/Problem Statement:

I have 3 sites, East, Central, and West

Their subnets are 10.0.0.0/16, 10.64.0.0/16 and 10.128.0.0/16 respectively.

Both East and West connect directly to Central and route traffic between Central and each of the remote sites. e.g. both 10.0 and 10.128 can both talk to all machines on 10.64 and vice versa.

I cannot, however, figure out how teach 10.0 to route traffic to 10.128 through 10.64, so East and West can talk to each other's subnets. 

I cannot establish a link directly between East and West, they have to go through Central.

(this is running on Centos 8.5, all 3 sites.)

====================================================

Pre-requisites/Assumptions:

east-gw public/wan ipaddr is: a.b.c.d
central-gw public/wan ipaddr is: w.x.y.z
west-gw public/wan ipaddr is: p.q.r.s
-------------------------------------------------------



Sample2 Configs on each of the PeerGws:

Important-Notes: 
1. This config is the ideal Hub-n-spoke configs that is HIGHLY RECOMMENDED

2. BUT this sample2 config has one drawback/limitation/constraint. 

- With this config, ALL Internet traffic too from the local-networks behind EAST/WEST Gws will be routed via the IPsec-Tunnel to Central-Gw.
- Meaning there will be no split-tunnel traffic with local-breakout of Internet-traffic on east/west Gws. All traffic will be routed to CentralGw via the ipsec tunnel
- So for routing "Internet" traffic coming in from EAST/WEST subnets, you will need to enable NAT/MASQUERADE ON CENTRAL-GW FOR INTERNET-ROUTING FOR EAST/WEST SUBNETS




------------
On EAST:
----------
Assumptions:
east-gw public/wan ipaddr is: a.b.c.d
central-gw public/wan ipaddr is: w.x.y.z


swanctl.conf:

connections {
 EastCentral {
  version=2
  local_addrs=a.b.c.d
  proposals=aes256-sha1-modp1024, default
  local-0 {
   id = eastcentral.test.local
   auth = psk
  }
  remote-0 {
   id = centraleast.test.local
   auth = psk
  }
  remote_addrs=w.x.y.z
  children {
   EastCentral {
    esp_proposals=aes256-sha1, default
    dpd_action=restart
    local_ts=10.0.0.0/16
    remote_ts=0.0.0.0/0
   }
  }
 }
}
secrets {
 ike0 {
         id = eastcentral.test.local
         secret = "ThisPSKusedfortunnelbetweenEASTCENTRAL"
     }
 ike1 {
         id = centraleast.test.local
         secret = "ThisPSKusedfortunnelbetweenEASTCENTRAL"
    }
}

##########################################################################


------------
On WEST GW:
----------
Assumptions:
west-gw public/wan ipaddr is: p.q.r.s
central-gw public/wan ipaddr is: w.x.y.z


swanctl.conf:

connections {
 WestCentral {
  version=2
  local_addrs=p.q.r.s
  proposals=aes256-sha1-modp1024, default
  local-1 {
   id = westcentral.test.local
   auth = psk
  }
  remote-1 {
   id = centralwest.test.local
   auth = psk
  }
  remote_addrs=w.x.y.z
  children {
   WestCentral {
    esp_proposals=aes256-sha1, default
    dpd_action=restart
    local_ts=10.128.0.0/16
    remote_ts=0.0.0.0/0
   }
  }
 }
}
secrets {
 ike2 {
         id = westcentral.test.local
         secret = "ThisPSKusedfortunnelbetweenWESTCENTRAL"
     }
 ike3 {
         id = centralwest.test.local
         secret = "ThisPSKusedfortunnelbetweenWESTCENTRAL"
    }
}

#############################################################################


-----------------
On CENTRAL GW
----------------
Assumptions:
east-gw public/wan ipaddr is: a.b.c.d
central-gw public/wan ipaddr is: w.x.y.z
west-gw public/wan ipaddr is: p.q.r.s




swanctl.conf:

connections {
 
 CentralEast {
  version=2
  local_addrs=w.x.y.z
  proposals=aes256-sha1-modp1024, default
  local-0 {
   id = centraleast.test.local
   auth = psk
  }
  remote-0 {
   id = eastcentral.test.local
   auth = psk
  }
  remote_addrs=a.b.c.d  
 }
  

 CentralWest {
  version=2
  local_addrs=w.x.y.z
  proposals=aes256-sha1-modp1024, default
  local-1 {
   id = centralwest.test.local
   auth = psk
  }
  remote-1 {
   id = westcentral.test.local
   auth = psk
  }
  remote_addrs=p.q.r.s  
 }

  
children {
   
   CentralEast {
    esp_proposals=aes256-sha1, default
    dpd_action=restart
    local_ts=0.0.0.0/0
    remote_ts=10.0.0.0/16
   }
  
   CentralWest {
    esp_proposals=aes256-sha1, default
    dpd_action=restart
    local_ts=0.0.0.0/0
    remote_ts=10.128.0.0/16
   }
}
}

secrets {
 ike4 {
         id = centraleast.test.local
         secret = "ThisPSKusedfortunnelbetweenEASTCENTRAL"
     }
 ike5 {
         id = eastcentral.test.local
         secret = "ThisPSKusedfortunnelbetweenEASTCENTRAL"
    }
 
 ike6 {
         id = centralwest.test.local
         secret = "ThisPSKusedfortunnelbetweenWESTCENTRAL"
     }
 ike7 {
         id = westcentral.test.local
         secret = "ThisPSKusedfortunnelbetweenWESTCENTRAL"
    }
}


##############################################################################







More information about the Users mailing list