[Swan] A Super-LAN
Colony.three
colony.three at protonmail.ch
Thu Jan 11 19:25:15 UTC 2018
First, I am trying to figure out how to set up the right peer. I have the left working now, and the right is a phone running the Strongswan app. This works fine, but I find conflicting into on how to set up the right when on a laptop or other machine.
The system is a LAN with a number of KVM virtual machines. One of these VMs is the router, with WAN access. Another VM is the IPSec gateway running Libreswan -- ports 500 and 4500 are DNATted through the router, to the IPsec gateway VM. This works fine with a remote Android phone and the Ss app.
But there will also be remote laptops. And a remote mail server. And all their IPs are changeable.
My goal is to have all machines commoned together on the VPN. (they are all trusted) The LAN class C is 192.168.1.0/24 and it would be ideal to assign remote machines a -known- IP in this range. This way I'll know where everyone is. If this is not possible then I'd like to have a VPN-internal range such as 10.1.1.0/24, but again to have each peer be assigned a -known- IP, so I know where each is.
All connexions must be mutual, IOW peer A can scp files from peer B, and peer B can scp files from peer A.
To set up a commoned system like this I suspect I'd need to set up individual segments between each peer and the gateway, in a hub-and-spoke. Maybe I'd need a connexion one way, and a second one the other way?
All will be IKEv2, and cert auth.
I haven't been able to make myself understood on IRC as that's just snippets, so maybe someone here can advise.
- How does the ipsec.conf differ between left and right? I read some examples where they are identical, and some where their roles are reversed. When system A is the LAN gateway and system B is a remote laptop, in systemA's ipsec.conf it is the left and B is the right. But on system B's ipsec.conf is it the left and system A the right? If so, what other ipsec.conf differences are there? I can't find anything in the docs even showing a right ipsec.conf.
- Is it possible to assign a -known- IP to peers? I find in the man there is a leftsourceip= but this seems to apply in only one direction, from left to right. Is this the case? Or is there another way to assign known IPs to peers? And is there a way to record them in a hosts file in some way.
Hopefully I've explained this well enough to show that the goal is a super-LAN, extended beyond the core LAN with IPSec.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180111/4ec28c63/attachment.html>
More information about the Swan
mailing list