Hi, yes you can fully integrate a remote host into a LAN by using the farp and dhcp plugins on the VPN gateway so that the gateway acts as an ARP proxy for the remote clients. Have a look at the following example scenario based on swanctl:
https://www.strongswan.org/testing/testresults/swanctl/dhcp-dynamic/ In swanctl.conf https://www.strongswan.org/testing/testresults/swanctl/dhcp-dynamic/moon.swanctl.conf use pools = dhcp and in strongswan.conf https://www.strongswan.org/testing/testresults/swanctl/dhcp-dynamic/moon.strongswan.conf define the DCHP server to be used. Regards Andreas On 29.03.2018 18:57, Info wrote: > True. Although I infer that 'pools' might be address pools (as with > DHCP), I can find no evidence of this. And I now notice the 'pools' > definition further down. > > But I'd like this VPN to be 'transparent'. IOW I'd like my remote > machines and LAN members to use the same IP as they do in the LAN. If > possible I'd like to avoid virtual IPs. Is there any way to do this? > > And I gather that in the IPSec gateway for the LAN, I can define > different definitions for different remote machines, but I can't work > out how this would be structured with swanctl. I'd actually prefer to > keep the same definition for all remote initiators, but things may not > always work out like we want. > > Side question: I'm also in the process of transitioning the LAN to > IPV6. As my ISP will not foreseeably have IPV6 (Frontier Comm) I'll > need to use a tunnel broker. Will this be a problem with Strongswan, > and can the Android app do IPV6? > > > On 03/28/2018 02:35 PM, Andreas Steffen wrote: >> The connection setup gets now very far but finally fails because >> the pools defined by >> >> pools = primary-pool-ipv4, primary-pool-ipv6 >> >> don't seem be defined (have you added a pools section in swanctl.conf?) >> and therefore no virtual IP can be allocated to the initiator >> >> Wed, 2018-03-28 08:31 15[IKE] <ikev2-pubkey|1> >> peer requested virtual IP %any >> no virtual IP found for %any requested by 'C=US, O=Quantum >> CN=aries.darkmatter.org' >> peer requested virtual IP %any6 >> no virtual IP found for %any6 requested by 'C=US, O=Quantum >> CN=aries.darkmatter.org' >> no virtual IP found, sending INTERNAL_ADDRESS_FAILURE >> >> Regards >> >> Andreas >> >> On 28.03.2018 17:37, Info wrote: >>> I have no way of interpreting the syntax of these proposals as there's >>> no definitive description. Maybe '-' separates different options in a >>> category and ',' separates categories? But it also doesn't explain >>> "classic and combined-mode algos" nor not to mix them. I can't know >>> these things by instinct. >>> >>> Something else is wrong with the example. I copied it -exactly- (except >>> I used your esp_proposals), and the error log is attached. >>> >>> >>> >>> On 03/28/2018 02:21 AM, Andreas Steffen wrote: >>>> Hi, >>>> >>>> as your log explicitly says: >>>> >>>>> Tue, 2018-03-27 15:13 15[CFG] classic and combined-mode (AEAD) >>>>> encryption algorithms can't be contained in the same IKE proposal >>>> Thus instead of >>>> >>>> esp_proposals = >>>>> aes192gcm16-aes128gcm16-aes192-ecp256,aes192-sha256-modp3072,default >>>> you must define >>>> >>>> esp_proposals = >>>> aes192gcm16-aes128gcm16-ecp256,aes192-sha256-ecp256-modp3072,default >>>> >>>> Regards >>>> >>>> Andreas >>>> > -- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions HSR University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[INS-HSR]==
