ok i have it (almost) working
vpn server ipsec.conf (running strongswan 5.2)
config setup
# uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange=ikev2
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=0.0.0.0/0
leftcert=serverHostCert.pem
right=%any
rightdns=8.8.8.8
rightsourceip=192.168.126.3/24
type=tunnel
#rightsubnet=192.168.126.0/24
forceencaps=yes
conn nexus5
keyexchange=ikev1
# forceencaps=yes
rightauth=pubkey
rightauth2=xauth
auto=add
rightsourceip=192.168.126.5
(many more like this one, all of them android phones)
conn <laptop>
keyexchange=ikev2
auto=add
#leftsubnet=192.168.126.0/24
#rightsourceip=192.168.126.4
conn <workstation>
keyexchange=ikev2
auto=add
leftsubnet=192.168.126.0/24
the only thing i cannot get it to work is to be able to ssh from
<laptop> to <workstation>
i don't understand how i could do it as ip assigned to <laptop> and
<workstation> have /32 netmask
also i run many VMs on <laptop> which i would like to be able to route
into the vpn but is not possible as i don't get any route
i can reach the network behind the vpn server, 192.168.125.1 that's good
output from <workstation>
$ ip r
default via 172.17.0.1 dev eth0
172.17.0.0/21 dev eth0 proto kernel scope link src 172.17.1.163
192.168.122.0/24 dev prov0 proto kernel scope link src 192.168.122.1
192.168.255.0/24 dev br0 proto kernel scope link src 192.168.255.1
$ ip -4 a
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP group default qlen 1000
inet 172.17.1.163/21 brd 172.17.7.255 scope global eth0
valid_lft forever preferred_lft forever
*inet 192.168.126.4/32 scope global eth0*
valid_lft forever preferred_lft forever
ipsec.conf on <workstation> (running strongswan 5.2)
config setup
nat_traversal = yes
charonstart=no
conn sample-with-ca-cert
leftsourceip=%config
rightsubnet=192.168.125.0/24
leftcert=workstationCert.pem
leftid=workstation
right=vpn-server-ip
rightid="C=AR, O=strongSwan, CN=vpn-server-FQDN"
auto=start
leftfirewall = yes
i feel like i'm missing something obvious but i cannot get an answer
googling for it
any pointer will be appreciated
thanks
On 10/14/2014 03:40 PM, Martin Willi wrote:
Hi,
i want to know if strongswan running on a linux server can support this
clients.
- android phones using native client, and configured as ipsec rsa xauth
(x509+Xauth), all traffic should be routed over the vpn
- mikrokit router, configured as ipsec rsa, behind a dynamic ip but not
nat (adsl), not all traffic should be routed over vpn.
router will nat is clients into the vpn
- remote workstation running linux behind nat, not all traffic should be
routed over vpn, but it should allow connections from other vpn client
- laptop running linux, most of the time behind nat, it may or may not
need to route all the traffic over vpn, it needs to be able to connect
to the remote workstation over the vpn
That should be doable, yes. Obviously you'll need multiple connection
definitions in your ipsec.conf, most likely one for each of these
clients.
The tricky part is probably to assign the correct connection definition
to each connecting client. I assume the first two use IKEv1? Then you
can distinguish them by the authentication method. For the latter two
I'd recommend to use IKEv2 (and strongSwan clients?), but not sure what
your "other vpn client" supports. If required you can used different
leftids on your responder with IKEv2, and then select the correct
configuration based on the proposed responder identity. Alternatively
you may select the configuration based on the client identity or its IP
address; this highly depends on your client capabilities.
Whether to "route all traffic over VPN" depends on your leftsubnet
configuration; you may also dynamically allow clients to propose what to
tunnel by using traffic selector narrowing.
i want to know if strongswan can do all this for me running on a single
server, on a single instance with a single pool of ip
Sharing an in-memory virtual IP pool is straightforward since 5.0.1;
just define the same rightsourceip pool subnet to share it across
multiple connections.
Regards
Martin
--
1AE0 322E B8F7 4717 BDEA BF1D 44BB 1BA7 9F6C 6333
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
