Hi! I am trying to connect a remote site to our internal network with strongswan. Here is my setup:
Remote site ----------- - 1 server + additional clients on private subnet 10.3.9.0/24 - server is directly connected to the internet through a DSL line - server has only one network interface (eth0), so I need virtual IPs - server is also default gateway for clients on private subnet IP setup on remote server eth0: 10.3.9.20 (standard server address on remote side) eth0:1 10.3.9.1 (default gateway address for clients) eth0:2 12.34.56.78 (outside connection) Local site ---------- - several servers and clients on public subnet 31.41.59.0/24 - network is protected by firewall - 1 gateway server for IPsec is reachable through firewall IP setup on gateway server eth0: 31.41.59.26 Clients from both subnets should transparently reach each other through the IPsec tunnel. Besides, also gateway and remote server have to be able to talk to each other through the IPsec tunnel directly. I have tried many configurations but only the one with the four-tunnel example (2.3) from http://www.strongswan.org/docs/readme4.htm#section_2.3 works (I know this is outdated). The example 2.4 does not work at all. I have also tried to adapt the more up-to-date example http://www.strongswan.org/uml/testresults/ikev1/virtual-ip/ but to no avail. The packets do not go through the tunnel and try to take the default route instead. With my working setup, I have one problem: packets from the remote server appear in the local network with IP address 12.34.56.78. I would prefer to have them come in with source IP 10.3.9.20 but no luck so far. Here is my currently working setup: --- # ipsec.conf - strongSwan IPsec configuration file config setup #plutodebug=control # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yes # nat_traversal=yes #charonstart=no #plutostart=yes conn %default #ikelifetime=60m #keylife=20m #rekeymargin=3m #keyingtries=3 keyexchange=ikev2 authby=secret conn net-net leftsubnet=31.41.59.0/24 rightsubnet=10.3.9.0/24 #rightsourceip=10.3.9.20 also=host-host conn net-host leftsubnet=31.41.59.0/24 #rightsourceip=10.3.9.20 also=host-host conn host-net rightsubnet=10.3.9.0/24 #rightsourceip=10.3.9.20 also=host-host conn host-host left=31.41.59.26 right=12.34.56.78 #rightsourceip=10.3.9.20 auto=start --- As you can see, I tried to add "rightsourceip" at several points but every time I uncomment one of them, it breaks the connection. I would appreciate any help, espcially hints for a less complicated setup. Kind regards Dietrich PS: I am using strongswan 4.4.1-5.2 on Debian Squeeze on both machines. _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
