What is your routing setup on the spokes? Regards,
Andy Paton - Bsc. (Hons), MBCS Innovation Engineer andy.pa...@hp.com<mailto:andy.pa...@hp.com> [HP]<http://www.hp.com/> From: users-bounces+andy.paton=hp....@lists.strongswan.org [mailto:users-bounces+andy.paton=hp....@lists.strongswan.org] On Behalf Of Kevin Palmer Sent: 30 August 2013 10:32 To: users@lists.strongswan.org Subject: [strongSwan] Strongswan as a VPN Hub with a single network adapter Hi, I have just been using Strongswan for the first time and firstly I'd like to say how impressed I was in how easy it was to setup the VPN tunnels. I got my two tunnels working within about 20 minutes of installing Strongswan. I have got a hub and two spokes and once the two tunnels were established I can successfully communicate between the spokes and the hub. The problem I've got however is that each 'Spoke' of the VPN cannot contact other spokes in the VPN. My first thought that this was that IPv4 Forwarding needs to be enabled however enabling IPv4 Forwarding did not solve the problem. I've also tried adding each spoke subnet as 'Left' subnets in the other connections in ipsec.conf but Strongswan reports "no local address found in traffic selector 10.6.0.0/24<http://10.6.0.0/24>" as that subnet is not allocated to my adapter. The other points to note is that my machine has only one network adapter which is connected to the internet so to get a local subnet I added a second IP address to the adapter (eth0:0) Does anyone have any suggestions on what I should try text? Configuration below... Thanks, Kevin Interfaces auto eth0 iface eth0 inet static address xxx.xxx.xxx.xxx gateway zzz.zzz.zzz.zzz netmask 255.255.252.0 auto lo iface lo inet loopback auto eth0:0 iface eth0:0 inet static address 172.16.0.1 netmask 255.255.0.0 ipsec.conf # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # plutodebug=all # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yes nat_traversal=yes charonstart=yes plutostart=yes # Add connections here. conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 authby=secret mobike=yes # CSVNETKP Connection conn csvnetkp left=%any leftsubnet=172.16.0.0/24,10.6.0.0/24<http://172.16.0.0/24,10.6.0.0/24> leftid=@csvpn.local<mailto:leftid=@csvpn.local> right=aaa.aaa.aaa.aaa rightsubnet=10.4.0.0/16<http://10.4.0.0/16> auto=route esp=aes256 conn csvnetmsdn2 left=%any leftsubnet=172.16.0.0/24,10.4.0.0/16<http://172.16.0.0/24,10.4.0.0/16> leftid=@csvpn.cirrasoft.local<mailto:leftid=@csvpn.cirrasoft.local> right=bbb.bbb.bbb.bbb rightsubnet=10.6.0.0/16<http://10.6.0.0/16> auto=route esp=aes256 Where xxx.xxx.xxx.xxx is my Public facing address zzz.zzz.zzz.zzz is my ISP gateway aaa.aaa.aaa.aaa is the Gateway of 'spoke' Subnet 10.4.0.0/16<http://10.4.0.0/16> bbb.bbb.bbb.bbb is the Gateway of 'spoke' Subnet 10.6.0.0/16<http://10.6.0.0/16> And I have my PSK's in the secrets file mapped to the two gateways. If anyone can help this would be much appreciated.. I'm sure I am almost there but... not quite! Many Thanks, Kevin
<<inline: image001.png>>
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
