5

I recently set up a strongswan IPSec VPN to access some non-public services of my home server from my android smartphone. I am using OpenVPN on some other devices for the same task, but chose strongswan for the phone, as IKEv2 is supposed (correct me if I am wrong) to be very resource friendly on mobile devices.

The current (openvpn) setup consists of one server (virtual ip: 10.0.0.2) and multiple clients (all in the 10.0.0.0/24 subnet). The routes on all parties are set up to route only packets through the vpn, that are dedicated to this subnet. (I don't want to access the local subnet of my server from a client and I also don't want to route all the traffic of my clients through the server)

Now I kind of managed to get things going with strongswan (server: 5.0.4, client: official strongswan android app 1.3.0), but I am not completely there yet. First of all, the server configuration:

config setup

conn %default
  keyexchange=ikev2

conn android
  left=%any
  leftauth=pubkey
  leftcert=serverCert.pem
  leftid=vpn.mydomain.com
  leftsourceip=10.10.10.128
  leftfirewall=yes
  right=%any
  rightsourceip=10.10.10.0/24
  rightauth=pubkey
  rightcert=clientCert_mymobilephone.pem
  rightauth2=eap-mschapv2
  auto=start

This assigns the IP 10.10.10.1 to my phone, but no IP to the server on any if its interfaces, which would be what I want. I can still access my server via the VPN by using its local IP (192.168.1.2), which is not really what I intended ;)

I would like to migrate all clients (mostly notebooks) from OpenVPN to strongswan, but the issue above prevents me from making the switch. I tried numerous different strongswan configurations, but none could match my OpenVPN config. Is that even possible, if so how?

Fabian Henze
  • 213
  • 3
  • 6
  • This question, although interesting, appears to be off-topic because it is about a home setting, please take a look [here](http://serverfault.com/help/on-topic) – dawud Jul 28 '13 at 16:38
  • 2
    Point taken. I didn't know about that policy. However serverfault is full of obvious home settings (e.g. [here](http://serverfault.com/q/212382/110270) or [here](http://serverfault.com/q/257970/110270)) and I imagine that my question is also relevant for some enterprise applications. Additionally, all the servers that I manage for a living are in the OpenVPN network, so ... ;-) – Fabian Henze Jul 28 '13 at 16:49

1 Answers1

5

Note that opposed to OpenVPN, StrongSWAN is not intended to be used in this fashion - it does not create virtual interfaces and does not assign virtual IP addresses to both sides of the tunnel. What you definitely could do is adding the address 10.0.0.2 to one of your interfaces on the server side

ip addr add 10.0.0.2/32 dev eth0

and adding the appropriate "leftsubnet" directive to your config so it would be part of the IPSEC Phase 2 exchange. Needless to say you would need to be using ESP with tunneling in this case.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
  • I was under the impression, that I am already using ESP with tunneling. Is that not the case? – Fabian Henze Jul 28 '13 at 16:52
  • Assigning the IP adress and adding the leftsubnet works, thanks! Could you elaborate what you mean by ESP with tunneling? – Fabian Henze Jul 28 '13 at 17:21
  • @FabianHenze yes, you do - StrongSwan uses the tunnel mode by default. I just added the remark to make the point that transport mode would not work out with this kind of configuration. – the-wabbit Jul 28 '13 at 21:03
  • "it does not create virtual interfaces and does not assign virtual IP addresses to both sides of the tunnel." --> How about this: https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp? – quanta Jul 22 '15 at 00:47
  • @quanta it still would not support adding a virtual IP to the server - which is what the OP wanted. As for the clients, it would work, but you would not get separate interfaces unless you are using something like the [libipsec plugin](https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec) – the-wabbit Jul 27 '15 at 10:52