Hello Markus, Please provide all the information listed on the HelpRequests page[1] the way it is shown next to the specific information and explain the meaning of these IP addresses and subnets. It is necessary in order to give you sensible advice.
Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests Am 16.03.20 um 08:24 schrieb /M: > Hi, > > I'm currently trying to setup a strongswan-based VPN-network between one > office network and some road-warriors. > Unfortunately the core router of the office does not provide VPN-support yet > and forwarding ESP/IKE to an internal host will only be possible in a couple > of weeks. > In the meantime I'd like to provide an temporary solution for mobile access > to some parts of our network. > A quick and dirty idea was to have a secondary gateway in the office (sun) > connect to an external server with a public ip (moon) with a tunnel setup. > The road-warriors (alice) will connect to moon using an ip-pool based setup. > So far all of the point-to-point connections are working: > alice -> moon, moon -> alice, (alice -> moon -> INTERNET) > sun -> moon, moon -> sun > > Right now I'm stuck with figuring out the necessary rules to route packages > alice -> sun via moon. > Maybe just some iptables/xfrm entries, but maybe something else. > > Could you please help? > > Thanks and best regards > > Markus > > --------------------------------------------------------------- > moon: > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > strictcrlpolicy=no > > conn office-vpn > keyexchange=ikev2 > esp=aes256-sha1 > ike=aes256-sha256-modp2048 > type=tunnel > compress=no > authby=secret > keyingtries=1 > ikelifetime=30m > keylife=10m > rekeymargin=3m > mobike=no > left=<PUBIP_OF_MOON> > leftsubnet=172.16.99.0/30 > leftid=@moon > leftfirewall=yes > rightsubnet=172.16.20.0/23 > rightid=@sun > auto=route > > conn client-vpn > keyexchange=ikev2 > dpdaction=clear > dpddelay=60s > left=<PUBIP_OF_MOON> > leftid="C=<CERT-DATA>" > leftsubnet=0.0.0.0/0 > leftcert=/etc/ipsec.d/certs/moon.crt > leftsendcert=always > leftfirewall=yes > right=%any > rightsourceip=192.168.200.1/27 > rightauth=pubkey > auto=add > > # iptables -L -n > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT all -- 192.168.200.1 0.0.0.0/0 policy match > dir in pol ipsec reqid 2 proto 50 > ACCEPT all -- 0.0.0.0/0 192.168.200.1 policy match > dir out pol ipsec reqid 2 proto 50 > ACCEPT all -- 172.16.20.0/23 172.16.99.0/30 policy match > dir in pol ipsec reqid 1 proto 50 > ACCEPT all -- 172.16.99.0/30 172.16.20.0/23 policy match > dir out pol ipsec reqid 1 proto 50 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > # iptables -t nat -L -n > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 policy match > dir out pol ipsec > ACCEPT all -- 192.168.200.0/27 0.0.0.0/0 policy match > dir out pol ipsec > MASQUERADE all -- 192.168.200.0/27 0.0.0.0/0 > > ------------------------------------------ > > ------------------------------------------ > sun > ipsec.conf > conn office-vpn > keyexchange=ikev2 > esp=aes256-sha1 > ike=aes256-sha256-modp2048 > type=tunnel > compress=no > authby=secret > keyingtries=1 > ikelifetime=30m > keylife=10m > rekeymargin=3m > mobike=no > left=%defaultroute > leftsubnet=172.16.20.0/23 > leftid=@sun > leftfirewall=yes > right=<PUBIP_OF_MOON> > rightsubnet=172.16.99.0/30,192.168.200.0/27 > rightid=@moon > auto=start > ------------------------------------------
signature.asc
Description: OpenPGP digital signature
