strongswan: entirely virtual subnet

ipsec strongswan vpn
6,810

Note that opposed to OpenVPN, StrongSWAN is not intended to be used in this fashion - it does not create virtual interfaces and does not assign virtual IP addresses to both sides of the tunnel. What you definitely could do is adding the address 10.0.0.2 to one of your interfaces on the server side

ip addr add 10.0.0.2/32 dev eth0

and adding the appropriate "leftsubnet" directive to your config so it would be part of the IPSEC Phase 2 exchange. Needless to say you would need to be using ESP with tunneling in this case.

Share:
6,810

Related videos on Youtube

Fabian Henze
Author by

Fabian Henze

Updated on September 18, 2022

Comments

  • Fabian Henze
    Fabian Henze almost 2 years

    I recently set up a strongswan IPSec VPN to access some non-public services of my home server from my android smartphone. I am using OpenVPN on some other devices for the same task, but chose strongswan for the phone, as IKEv2 is supposed (correct me if I am wrong) to be very resource friendly on mobile devices.

    The current (openvpn) setup consists of one server (virtual ip: 10.0.0.2) and multiple clients (all in the 10.0.0.0/24 subnet). The routes on all parties are set up to route only packets through the vpn, that are dedicated to this subnet. (I don't want to access the local subnet of my server from a client and I also don't want to route all the traffic of my clients through the server)

    Now I kind of managed to get things going with strongswan (server: 5.0.4, client: official strongswan android app 1.3.0), but I am not completely there yet. First of all, the server configuration:

    config setup

conn %default
  keyexchange=ikev2

conn android
  left=%any
  leftauth=pubkey
  leftcert=serverCert.pem
  leftid=vpn.mydomain.com
  leftsourceip=10.10.10.128
  leftfirewall=yes
  right=%any
  rightsourceip=10.10.10.0/24
  rightauth=pubkey
  rightcert=clientCert_mymobilephone.pem
  rightauth2=eap-mschapv2
  auto=start

    This assigns the IP 10.10.10.1 to my phone, but no IP to the server on any if its interfaces, which would be what I want. I can still access my server via the VPN by using its local IP (192.168.1.2), which is not really what I intended ;)

    I would like to migrate all clients (mostly notebooks) from OpenVPN to strongswan, but the issue above prevents me from making the switch. I tried numerous different strongswan configurations, but none could match my OpenVPN config. Is that even possible, if so how?

    • dawud
      dawud almost 11 years
      This question, although interesting, appears to be off-topic because it is about a home setting, please take a look here
    • Fabian Henze
      Fabian Henze almost 11 years
      Point taken. I didn't know about that policy. However serverfault is full of obvious home settings (e.g. here or here) and I imagine that my question is also relevant for some enterprise applications. Additionally, all the servers that I manage for a living are in the OpenVPN network, so ... ;-)
  • Fabian Henze
    Fabian Henze almost 11 years
    I was under the impression, that I am already using ESP with tunneling. Is that not the case?
  • Fabian Henze
    Fabian Henze almost 11 years
    Assigning the IP adress and adding the leftsubnet works, thanks! Could you elaborate what you mean by ESP with tunneling?
  • the-wabbit
    the-wabbit almost 11 years
    @FabianHenze yes, you do - StrongSwan uses the tunnel mode by default. I just added the remark to make the point that transport mode would not work out with this kind of configuration.
  • Greg Petersen
    Greg Petersen almost 9 years
    "it does not create virtual interfaces and does not assign virtual IP addresses to both sides of the tunnel." --> How about this: wiki.strongswan.org/projects/strongswan/wiki/VirtualIp?
  • the-wabbit
    the-wabbit almost 9 years
    @quanta it still would not support adding a virtual IP to the server - which is what the OP wanted. As for the clients, it would work, but you would not get separate interfaces unless you are using something like the libipsec plugin

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Route all traffic through StrongSwan VPN
strongSwan + xl2tpd VPN server: how to configure several config files?
How do I configure StrongSwan to act as a IKEv1 client?
Windows 10 connection to strongswan ipsec server fails with "IKE authentication credentials are unacceptable
Why does 'ipsec statusall' not show any connections?
Strongswan: clients can connect to server but no internet access
Strongswan IKEv2 VPN on OS X 10.11 and iOS 10 Clients
Enable IKE tracing on windows 10 VPN
strongSwan IPsec server with AWS EC2 VPC VPN client
Strongswan (IKEv2) connection established, but no traffic routing