[strongSwan] StrongSwan w/ multiple local subnets.

Fri, 19 Jun 2020 00:38:15 -0700 

Hello,
I have an Asus router using DD-WRT. On this router I've enabled ospf. The router sits on VLAN1: 192.168.0.0/24 


There are two more VLAN's within the space:


VLAN2: 10.0.0.0/24
VLAN3: 10.1.0.0/24
VLAN4: 10.2.0.0/24
VLAN5: 10.3.0.0/24


I've installed StrongSwan on top of this router and looking to configure 
site-to-site VLAN via IKEv2 to 4 more external VLAN's:


VLAN1: 10.10.0.0/24
VLAN2: 10.10.1.0/24
VLAN3: 10.10.2.0/24
VLAN4: 10.10.3.0/24

So my config looks like this:

/opt/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

conn REMOTE-VLAN1
        authby=secret
        auto=start
        type=tunnel
        keyexchange=ikev2
        keylife=3600s
        ikelifetime=28800s

        left=100.100.100.100 

        leftsubnet=192.168.0.0/24 


        # leftnexthop=%defaultroute
        right=123.123.123.123

rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24
        ike=aes256-sha1-modp1024
        esp=aes256-sha1

conn REMOTE-VLAN2
        authby=secret
        auto=start
        type=tunnel
        keyexchange=ikev2
        keylife=3600s
        ikelifetime=28800s

        left=100.100.100.100 

        leftsubnet=10.0.0.0/24 


        # leftnexthop=%defaultroute

        right=123.123.123.123 



rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24
        ike=aes256-sha1-modp1024
        esp=aes256-sha1

conn REMOTE-VLAN5
        authby=secret
        auto=start
        type=tunnel
        keyexchange=ikev2
        keylife=3600s
        ikelifetime=28800s

        left=100.100.100.100 

        leftsubnet=10.3.0.0/24 


        # leftnexthop=%defaultroute

        right=123.123.123.123 



rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24
        ike=aes256-sha1-modp1024
        esp=aes256-sha1



root@ASUS01:~# ipsec status
Security Associations (1 up, 0 connecting):

 REMOTE-VLAN1[1]: ESTABLISHED 3 seconds ago, 100.100.100.100 
[100.100.100.100 ]...123.123.123.123[123.123.123.123]
 REMOTE-VLAN1{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 
ada5f39c_i a96955ba_o
 REMOTE-VLAN1{1}:   192.168.0.0/24 === 10.10.0.0/24 10.10.1.0/24 
10.10.2.0/24 10.10.3.0/24 10.10.4.0/24

root@ASUS01:~#


Just by the effect of the configuration file and what is happening on 
restart, doesn't appear I can create any other VLAN routes other then 
from the VLAN I'm currently on.



How do I effectively make a site-to-site VPN configuration using 
StrongSwan between all 10 VLAN's?



Additionally, for the VLAN that does have a tunnel created, I can ping a 
local (left) subnet directly but not vice versa.



I'm interested in the correct configuration to use first since I'm very 
new to this.  If this still doesn't work, I'll post the logs from a good 
known configuration.


--
Thx,
TK.














    











					Reply via email to