How do I configure StrongSwan (ipsec) to access VLAN subnets?

msquires1972 · 09-02-2019, 09:09 PM

I am setting up a Site to site StrongSwan VPN on Debian 9 and Debian 10 OS.

For testing I added an IP address to the LO interface, I also added VLAN interfaces to the LO interface [lo.2. lo.3 and lo.4].

Name ---- IPv4 address ---- Netmask
lo ---- 192.168.166.1 ---- 255.255.255.252
lo.2 ---- 192.168.1.1 ---- 255.255.255.252
lo.3 ---- 192.192.2.2 ---- 255.255.255.252
lo.4 ---- 192.111.4.5 ---- 255.255.255.252

===============================================

The ipsec configuration file: SITE=A

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration

config setup
charoudebug="all"
strictcrlpolicy=no
uniqueids = yes

# connection to 10.0.0.4
conn 10.0.0.6-to-VPN
authby=secret
left=%defaultroute
leftid=10.0.0.6
leftsubnet=10.1.1.0/27
right=10.0.0.4
rightsubnet=192.168.166.0/30 192.168.1.0/30 192.192.2.0/30 192.111.4.5
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=24h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start

include /var/lib/strongswan/ipsec.conf.inc

=====================================================

The ipsec configuration file: SITE=B

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration

config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no

# Connection to 10.0.0.6
conn VPN-to-10.0.0.6
authby=secret
left=%defaultroute
leftid=10.0.0.4
leftsubnet=192.168.166.0/30 192.168.1.0/30 192.192.2.0/30 192.111.4.5
right=10.0.0.6
rightsubnet=10.1.1.0/27
ike=aes256-sha2_256-modp1024!
esp=aes256-sha2_256!
keyingtries=0
ikelifetime=24h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start

include /var/lib/strongswan/ipsec.conf.inc

====================================================

Based on instructions I found, I tired these on both LeftSubnet and RightSubnet for SITE A & B:

leftsubnet=192.168.166.0/30 192.168.1.0/30 192.192.2.0/30 192.111.4.5

leftsubnets=192.168.166.0/30 192.168.1.0/30 192.192.2.0/30 192.111.4.5

leftsubnet={192.168.166.0/30,192.168.1.0/30,192.192.2.0/30,192.111.4.5}

leftsubnets={192.168.166.0/30,192.168.1.0/30,192.192.2.0/30,192.111.4.5}

====================================================

Is what I am trying to achieve even possible, or should I use another option?

nini09 · 09-10-2019, 02:33 PM

You need setup virtual tunnel interface to make it work.

msquires1972 · 09-18-2019, 09:02 AM

I was able to resolve the issue.
Thank you for the assist.