Home / server / Questions / 1167911
Accepted
BluePython
Asked: 2024-11-19 18:37:10 +0800 CST

Safe Strongswan setup

  • 772

I've setup a host to host setup where I only want the server ip exposed so anyone connected to the VPN can talk to the services on that server.

connections {
    rw {
      pools = rw_pool
      send_cert = always
      unique = no
      fragmentation=yes
      local {
        auth = pubkey
        certs = [CERT].pem
        id = [ID]
      }

      remote {
        auth = eap-mschapv2
        eap_id = %any
      }
      children {
        rw {
          local_ts  = [WAN IP OF SERVER]
          esp_proposals = chacha20poly1305-sha512, aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1
        }
      }
      send_certreq = no
    }
 }

The connection works an the requests are indeed coming from a VPN selected IP range, however, since i'm targeting the outfacing IP, wouldn't this still route the traffic over an un-secure channel after the IP exit?

Client config:

connections {
    home {
      version=2
      remote_addrs = [SERVER ADDR]
      vips = 0.0.0.0
      local {
        auth = eap-mschapv2
        eap_id = [ID]
      }
      remote {
        auth = pubkey
        id = [SERVER ID]
      }
      children {
        home {
          remote_ts  = [WAN IP OF SERVER]
          local_ts = dynamic
          #remote_ts  = 10.10.10.0/24
          start_action = start
        }
      }
    }
  }

A second smaller question, how would you make a host to site setup, where my server is a single entity in its network, but the other side is a fortigate router with a larger network behind it, would this setup work?

Thanks for the effort in advance!

EDIT: Ip problem solved by using ip to create a tun0 interface and using that as local_ts

vpn

1 Answers

  1. Best Answer

    wouldn't this still route the traffic over an un-secure channel after the IP exit?

    No, and this is the main difference between IPsec and other VPN implementations. IPsec was originally designed specifically to be a host-to-host secure channel, with VPNs bodged on top afterwards (the VPN support that is now part of IKEv2 used to be a Cisco proprietary extension).

    Because of that, traditional IPsec implementations like strongSwan are policy-based rather than route-based1 – meaning that there is no separate tunnel interface through which packets need to be routed to become secure; instead they are intercepted and transformed as they leave the regular network interface.

    (In fact there even is a child SA mode – transport mode – which is meant exclusively for securing host-to-host traffic to the IPsec endpoint itself. It's rarely used since tunnel mode can do the same anyway, though transport mode has lower MTU overhead.)

    So even if you contact the VPN server's external address, which would usually have a "bypass" route in route-based systems, it's still subject to the IPsec transform layer and will be encrypted (as long as it's included in the negotiated local/remote_ts traffic selectors of the child SA).

    After establishing the SA, run swanctl -l to see which traffic it ultimately affects, or if you want, use ip xfrm to directly see the Linux "transform" policies that are applied just before packets exit the interface.

    If in doubt, use iptables policy match or nftables meta ipsec exists to prevent unsecured packets from leaving or entering your server.

    1 (The policy-based architecture of strongSwan does make VPN "virtual IP" usage quite a bit confusing, to the extent that they gave in and added some support for route-based model.)

    A second smaller question, how would you make a host to site setup, where my server is a single entity in its network, but the other side is a fortigate router with a larger network behind it, would this setup work?

    It should be enough to expand the traffic selectors on the Fortigate side (its equivalent of local_ts), and accordingly your server's remote_ts, to cover the additional subnet.

    • 0