Home / server / Questions / 257970
Accepted
lurscher
Asked: 2011-04-11 08:03:15 +0800 CST

strongSwan ipsec setup, couple of questions

  • 772

i am trying to setup a IPsec bridge between my home network and my office network. I want to use StrongSwan to encrypt the traffic as IPsec

i am trying to follow this guide

A brief description of the networks:

  • the office network has 3 machines connected to an inexpensive D-link router, 2 of them are linux boxes, and should be able to be accessed from the IPsec network. The other machine is Windows and should not see any IPsec traffic

  • the home network has 2 machines, one is linux, which should be able to access and be accessed from the IPsec network. The other machine is windows and should not see any IPsec traffic

I'm not sure how to go about this, but i have 3 questions that are of high concern right now to me:

1) first a general question; assuming its possible and practical to arrange pre-sharing on secrets outside the internet (which in this case it is) would manual setup of keys be in general safer than setting up IKE or IKEv2?

2) i've read a bit about subnetting, and according to my interpretation of the strongswan documentation, i should set a site-to-site network, but i'm not sure where should i look for the right/left/rightsubnet/leftsubnet ip and masks to configure ipsec. EDIT To be more precise, i am looking at the ifconfig output and trying to decide how to translate this to configure rightsubnet/leftsubnet. What machines constitutes the gateways? Any ideas? sorry if this question is extremely trivial

3) I want to make a test IPsec network at home using virtualbox machines before deploying any setup in the real networks. Would this work? how many virtual machines would i need to make a realistic scenario?

thanks for your patience

(btw, i still don't have enough reputation to create the "strongswan" tag. If someone creates it i'll be glad to update the post with it)

vpn ipsec linux-networking strongswan ubuntu-10.10

1 Answers

  1. Best Answer
    1. Setting up pre-shared-keys still implies that you will be using IKE protocol for key negotiation. And yes pre-shared keys are considered safe, while they are not compromised. Same applies to the certificates - the PKI scheme is safe while private keys are not compromised.
    2. The only simple rule is that leftsubnet and rightsubnet should not overlap (e.g. there are no IPs that belong to both subnets). Take a look at sample diagram below or Google for sample ipsec.conf file on strongswan website.
    3. You will need at least 2 Virtual Machines that will be running as "IPsec Gateways". If you want more exotic features (e.g. NAT traversal), then you will also need a virtual machine(s) that will do NATTing (router).

    Here is diagram that explains what is leftsubnet and what is rightsubnet:

    Left_computer(192.168.0.2/24)<---> (192.168.0.1/24)Left_ipsec_gateway(Some_left_public_ip)<--->INTERNET<---> (Some_right_public_ip)Right_ipsec_gateway (192.168.1.1/24)<--->(192.168.1.2/24)Right_computer

    Left subnet here is 192.168.0.0/24 and right subnet is 192.168.1.0/24.

    For Left_computer(192.168.0.2/24) you must specify Left_ipsec_gateway(192.168.0.1/24) as gateway for Right_subnet(192.168.1.0/24). Usually default route already does this automatically for you. You must do the same thing for right subnet as well. Also this is the reason why I call the computer that is running StrongSwan as "IPsec Gateway".

    Hope this helps. Strongswan has wiki with Diagrams, you might want to look at.

    • 3