I have been experiencing a difficulty configuring my vpn setup of desire.
I have a service daemon, that is on an openswan enabled gate and clients
connecting to it. So far, so good - warriors connect and do receive data.
Now i want to implement a middle-link between them to go like this:
Client <---ipsec---> VPN Gate(running strongswan for a specific reason)
<----ipsec----> Service daemon
I think i have difficulties configuring the strongswan/openswan link as i
want it and specifically routing the packets to go over that link. It
would be easy if ipsec tunnels did appear as virtual devices or at least
appeared in the kernel routing table.
this is my connection definition:
conn commport1
type=tunnel
# Key exchange
ike=aes256-sha1-modp1536
# Data exchange
esp=aes256-sha1
authby=secret
auto=start
#auth=esp
keyingtries=2
#keyexchange=ike
# Modeconfig setting
#modecfgpull=yes
pfs=no
rekey=yes
#salifetime=16h
dpddelay=120
dpdtimeout=140
dpdaction=restart
left=strong.ip # Local vitals
leftsubnet=192.168.2.2/32 #
leftid=%any
leftnexthop=%defaultroute # correct in many situations
leftsourceip=192.168.2.2
right=sec.ip # Remote vitals
rightsubnet=192.168.2.1/32 #
rightid=%any #
rightnexthop=%defaultroute # correct in many situations
rightsourceip=192.168.2.1
(and reversed on the other side - sec and strong, sec is appropriately the
service daemon machine)
which has driven me up to the point that i create a tunnel between the 2
machines.
my roadwarriors on .strong are taking addresses from the 192.168.6.0/24
range and issuing requests(it's a ikev1 connection, no specific traffic
selectors) to 192.168.2.1(which is on sec).
But the syns just are not routed via the commport1 connection.
I guess i have to fiddle with the subnet and nexthop definitions, but i'm
seeking help here to avoid misconfigurations.