Hi, I have a few questions related to the internals of strongswan. I would like to elaborate my current setup to give a context for these questions.
I have setup a vpn gateway on an ubuntu 12.04 machine (kernel 3.2.x) using strongswan 5.0 where my clients authenticate using xauthrsasig. My clients use this gateway to access the Internet. My vpn gateway lets the clients use a virtual ip in the range 192.168.1.x because I have "rightsourceip=192.168.1.2/24" in the ipsec.conf file. A packet capture on the interface of my gateway connected to the Internet shows the following stream of packets 1) roadwarrior-ip -----> vpn-gw-ip ... packets are encrypted 2) 192.168.1.x -----> google-ip ... packets are not encrypted I can see the HTTP GET requests 3) vpn-gw-ip ---> google-ip ... same TCP payload but from different source ip because my VPN gatweway is acting like NAT box connecting 192.168.1.x network to the Internet 4) google-ip ----> vpn-gw-ip .. the response from the remote server 5) vpn-gw-ip ----> google-ip .. packets are encrypted. I see three packets (1,2, and 3) for each packet that my roadwarrior client sends to google but I see only two packets (4 and 5) that are the response from google. A previous question on the mailing list points to the use of NETKEY implementation by strongswan that does not use a virtual interface ipsec*. However I am not clear as to why this happens. Sadly the documentation of NETKEY is not as clear as the strong swan documentation. My problem is that I would like to analyze individual tcp/udp payloads that go to and come from my roadwarrior clients; 1) Does strongswan have access to all the packets that pass through the VPN tunnel? Is there a module/function in strongswan system that receives all the packets from the roadwarrior clients and packets that are intended to be sent to a particular roadwarrior client? 2) I would like to know as to why I am able to see packets in one direction in their raw form (with TCP/UDP payloads) but I cannot see the TCP/UDP payloads that are a response to these packets. How and why does NETKEY implementation affect the packets coming from the Internet to my roadwarrior clients? 3) How does strongswan modify the routing entries? Where is this done in the strongswan code-base? I can see "192.168.1.xx via <gateway used by vpn server> dev eth0 proto static" on running ip route list table 220. 4) Does the kernel maintain any mapping between the virtual ips assigned by strongswan to a roadwarrior and the ip addresses of the roadwarrior client? Is this mapping maintained only by strongswan or does the kernel maintain this mapping? 4) Can you suggest a way of modifying the routes or playing with the routing tables so that I can have access to these payloads? I would like to use xauthrsasig for authentication and I do not want to use l2tp or pptp for setting up the vpn gateway. 5) Has strongswan 5.0 been ported or tested on OpenBSD or FreeBSD? Can I run a strongswan daemon (with virtual ips for clients) on OpenBSD (or FreeBSD)? Thanks and Regards, Ashwin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
