Re: [strongSwan] Setup site-to-site VPN via central server

Tue, 12 Jul 2016 13:35:31 -0700 

Hi Tobias

Thanks for your reply. Please find more details below.
Regarding #1, on the server I have configured another IP address for the network device: 
ip addr add 192.168.1.0/24 dev eth0

Do I need to add a route as well?

Central server internal IP: 192.168.1.0, external IP: vpn.example.org
First home gateway: 192.168.0.1/24
Second home gateway: 192.168.2.1/24

Please find below my ipsec.conf
The connection seems to be established, but I get the following error message on the server: traffic selectors 192.168.1.0/32 192.168.2.0/24 === 192.168.1.0/24 inacceptable 
failed to establish CHILD_SA, keeping IKE_SA

On the first gateway I get:
installing new virtual IP 192.168.0.1
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA

Best regards
Martin

## Server.conf

config setup

conn base
        type=tunnel
        keyexchange=ikev2
        keyingtries=%forever
        rekeymargin=3m
        ikelifetime=60m
        keylife=20m
        compress=no

        left=vpn.example.org
        leftauth=pubkey
        leftcert=serverCert.pem
        leftsubnet=192.168.1.0
        leftfirewall=yes

        right=%any
        rightauth=pubkey
        rightsendcert=never

conn vpn-first
        auto = add
        rightcert = firstCert.pem
        rightsubnet = 192.168.0.0/24
        rightsourceip = 192.168.0.1
        also=base

conn vpn-mann
        auto = add
        rightcert = secondCert.pem
        rightsubnet = 192.168.2.0/24
        rightsourceip = 192.168.2.1
        also=base

# First gateway ipsec.conf (second one skipped for the moment)

config setup

conn %default

conn vpn-stern
        auto=route
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=%forever
        keyexchange=ikev2
        dpdaction = restart
        closeaction = restart
        forceencaps = yes
        compress = no
        fragmentation=yes

        right = vpn.example.org
        rightauth = pubkey
        rightcert = serverCert.pem
        rightsendcert=never
        rightsubnet = 192.168.1.0,192.168.2.0/24

        left = %defaultroute
        leftauth = pubkey
        leftca = %same
        leftcert = firstCert.pem
        leftsubnet = 192.168.1.0/24
        leftsourceip = %config4


On 07/12/2016 10:49 AM, Tobias Brunner wrote:

Hi Martin,


There are basically 2 separate questions:
1. Do I need to setup ip route on vpn.example.org?

What do you mean?


2. What are the right iptables to route traffic from the two home
networks to each other?

Depends on the existing firewall configuration.  But traffic between the
subnets must be permitted in the FORWARD chain.  strongSwan will install
such rules with leftfirewall=yes.

Regards,
Tobias



_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to