Hi Tobias
Sorry for the late response. I already changed the conf yesterday and
found out, that my vServer does not have the required kernel modules
built-in.
So I had to request a new cloud based server and move all my web sites
and VPN connection details to the new server.
Many thanks, here is the result of your proposed changes:
connection 'vpn-first' established successfully
Should I document this setup somewhere on the Wiki?
Out of curiosity, how would you configure the server and client if I
would like to add vpn-third subnet with 192.168.3.0?
Best regards
Martin
On 07/13/2016 03:49 PM, Tobias Brunner wrote:
Hi Martin,
Regarding #1, on the server I have configured another IP address for the
network device:
ip addr add 192.168.1.0/24 dev eth0
Do I need to add a route as well?
You won't need either of that to connect the two subnets.
Central server internal IP: 192.168.1.0, external IP: vpn.example.org
First home gateway: 192.168.0.1/24
Second home gateway: 192.168.2.1/24
Please find below my ipsec.conf
See my comments below.
The connection seems to be established, but I get the following error
message on the server:
traffic selectors 192.168.1.0/32 192.168.2.0/24 === 192.168.1.0/24
inacceptable
failed to establish CHILD_SA, keeping IKE_SA
On the first gateway I get:
installing new virtual IP 192.168.0.1
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
Since you simply want to set up a site-site tunnel the use of virtual
IPs (left|rightsourceip) is completely misplaced.
## Server.conf
config setup
conn base
...
leftsubnet=192.168.1.0
What you actually want is to use leftsubnet=<subnet 2> for the
connection with 1 and leftsubnet=<subnet 1> for the connection with 2.
The server does obviously not have to be directly connected to these
subnets but this will result in the correct IPsec policies for the
traffic to get tunneled via the central server. So remove the above
line and then change the rest as follows:
...
conn vpn-first
also=base
auto = add
rightcert = firstCert.pem
rightsubnet = 192.168.0.0/24
leftsubnet = 192.168.2.0/24
Remove:
rightsourceip = 192.168.0.1
conn vpn-mann
also=base
auto = add
rightcert = secondCert.pem
rightsubnet = 192.168.2.0/24
leftsubnet = 192.168.0.0/24
Remove:
rightsourceip = 192.168.2.1
# First gateway ipsec.conf (second one skipped for the moment)
...
conn vpn-stern
...
Remove 192.168.1.0 from:
rightsubnet = 192.168.1.0,192.168.2.0/24
...
Remove:
leftsourceip = %config4
Regards,
Tobias
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
