[strongSwan] Configuration recommendations for multi-WAN roadwarrior setup

Thu, 02 Jan 2020 03:51:36 -0800 

Hi,

happy new year! Many thanks for the great project and the support.
I'm currently trying to find a good configuration for the following setup, but I was unsuccessful so far: 
 * strongswan gateway with 2 WAN interfaces on an Edgerouter POE:
    * WAN1: IPv4 static private IP-address 192.168.240.2/24 behind a pfSense-Firewall (192.168.240.1) and dynamic IP allocation 
    * WAN2: public DSL uplink with static IP address
    * LAN: 172.16.0.0/24
WAN1 is the primary (fast) internet uplink for the network, WAN2 is only used for static routes and manual fail-over.
To access WAN1 a client has to connect to a 802.11x-enabled WiFi and will receive an IP for 192.168.240.0/24. 
To access WAN2 a client can contact the static IP.
Goal for the VPN: the users should be able to access LAN from both WAN-ports. I was able to setup two simple configurations for both (see below), but I have to add a static route for the WAN2-roadwarriors to allow correct routing.
My question: are there any configuration combinations (route-based vpn, custom scripts, etc.) that allow the correct routing? 
Many thanks for your help and recommendations.

Cheers

/M

# ipsec version
Linux strongSwan U5.6.3/K4.9.79-UBNT



---------------------------
ipsec.conf:
config setup
    uniqueids=no
    strictcrlpolicy=yes

ca myca
        cacert=/config/user-data/ipsec.d/cacerts/my_CA.crt
    auto=add

conn vpn-base
    keyexchange=ikev2
    dpdaction=clear
    dpddelay=60s
    leftid="..."
    leftsubnet=172.16.0.0/24
    leftcert=/config/user-data/ipsec.d/certs/my.crt
    leftsendcert=always
    leftfirewall=yes
    right=%any
    rightsourceip=192.168.200.10-192.168.200.30
    rightdns=172.16.0.1
        rightauth=pubkey


conn WAN1
        also=vpn-base
    left=192.168.240.2
    auto=add

conn WAN2
        also=vpn-base
    left=XXX.XXX.142.228
    auto=add
---------------------------

---------------------------
# ip xfrm policy
src 172.16.0.0/24 dst 192.168.200.10/32
    dir out priority 371327
    tmpl src XXX.XXX.142.228 dst YYY.YYY.243.68
        proto esp spi 0xc68d7927 reqid 1 mode tunnel
src 192.168.200.10/32 dst 172.16.0.0/24
    dir fwd priority 371327
    tmpl src YYY.YYY.243.68 dst XXX.XXX.142.228
        proto esp reqid 1 mode tunnel
src 192.168.200.10/32 dst 172.16.0.0/24
    dir in priority 371327
    tmpl src YYY.YYY.243.68 dst XXX.XXX.142.228
        proto esp reqid 1 mode tunnel
---------------------------

---------------------------
# ip route
default via 192.168.240.2 dev eth1 proto zebra
YYY.YYY.0.0/12 via XXX.XXX.142.228 dev pppoe0 proto zebra
---------------------------

Reply via email to