strongswan: entirely virtual subnet
Note that opposed to OpenVPN, StrongSWAN is not intended to be used in this fashion - it does not create virtual interfaces and does not assign virtual IP addresses to both sides of the tunnel. What you definitely could do is adding the address 10.0.0.2 to one of your interfaces on the server side
ip addr add 10.0.0.2/32 dev eth0
and adding the appropriate "leftsubnet" directive to your config so it would be part of the IPSEC Phase 2 exchange. Needless to say you would need to be using ESP with tunneling in this case.
Related videos on Youtube
Fabian Henze
Updated on September 18, 2022Comments
-
Fabian Henze almost 2 years
I recently set up a strongswan IPSec VPN to access some non-public services of my home server from my android smartphone. I am using OpenVPN on some other devices for the same task, but chose strongswan for the phone, as IKEv2 is supposed (correct me if I am wrong) to be very resource friendly on mobile devices.
The current (openvpn) setup consists of one server (virtual ip: 10.0.0.2) and multiple clients (all in the 10.0.0.0/24 subnet). The routes on all parties are set up to route only packets through the vpn, that are dedicated to this subnet. (I don't want to access the local subnet of my server from a client and I also don't want to route all the traffic of my clients through the server)
Now I kind of managed to get things going with strongswan (server: 5.0.4, client: official strongswan android app 1.3.0), but I am not completely there yet. First of all, the server configuration:
config setup conn %default keyexchange=ikev2 conn android left=%any leftauth=pubkey leftcert=serverCert.pem leftid=vpn.mydomain.com leftsourceip=10.10.10.128 leftfirewall=yes right=%any rightsourceip=10.10.10.0/24 rightauth=pubkey rightcert=clientCert_mymobilephone.pem rightauth2=eap-mschapv2 auto=start
This assigns the IP 10.10.10.1 to my phone, but no IP to the server on any if its interfaces, which would be what I want. I can still access my server via the VPN by using its local IP (192.168.1.2), which is not really what I intended ;)
I would like to migrate all clients (mostly notebooks) from OpenVPN to strongswan, but the issue above prevents me from making the switch. I tried numerous different strongswan configurations, but none could match my OpenVPN config. Is that even possible, if so how?
-
dawud almost 11 yearsThis question, although interesting, appears to be off-topic because it is about a home setting, please take a look here
-
Fabian Henze almost 11 years
-
-
Fabian Henze almost 11 yearsI was under the impression, that I am already using ESP with tunneling. Is that not the case?
-
Fabian Henze almost 11 yearsAssigning the IP adress and adding the leftsubnet works, thanks! Could you elaborate what you mean by ESP with tunneling?
-
the-wabbit almost 11 years@FabianHenze yes, you do - StrongSwan uses the tunnel mode by default. I just added the remark to make the point that transport mode would not work out with this kind of configuration.
-
Greg Petersen almost 9 years"it does not create virtual interfaces and does not assign virtual IP addresses to both sides of the tunnel." --> How about this: wiki.strongswan.org/projects/strongswan/wiki/VirtualIp?
-
the-wabbit almost 9 years@quanta it still would not support adding a virtual IP to the server - which is what the OP wanted. As for the clients, it would work, but you would not get separate interfaces unless you are using something like the libipsec plugin