User:NeddySeagoon/strongswan

This article Article description::describes setting up a strongswan based VPN

I've tried a few times an lost interest but it would be a good thing to have.

Scope
At present, this page is more 'notes to self', since its not working.

The approach will be 'baby steps'. Get a tunnel up between two hosts on the same subnet.

Fix the routing to support a tunnel between subnets. The motivation for that is to enable printing from untrusted hosts on WiFi to my printer on the trusted network. I could just move the printer to the untrusted network but that's a pain.

The next step will be to allow VPN connections from the big bad internet.

My router is a KVM running shorewall. It supports Ipv4 and IPv6. The intent is to make both work. The shorewall setup will be described too.

I won't be able to avoid kernel configuration either.

At present, I don't intend to cover l2tp, since I don't think I have a use for it. However, if Android 8 needs it ...

Motivation
There is lots of documentation around the web describing all the various bits, so it should just be assembling all the bits.

I've tried that, its like trying to cross a chasm in several small jumps. There are bits missing in the middle. Hence the 'baby steps' approach of building on what works.

Planning
The goal is to set up a VPN server, listening to the big bad internet, that will manage the tunnel(s) and route traffic to and from the protected network as if VPN was its own shorewall zone.

The end game then is one shorewall install and one strongswan install on the router KVM. My network will look like

Table below shows firewall setup. Symbols are From - To      may not initiate connections From ? To      connection initiation determined by shorewall rules From / To      its in the same zone - no restrictions --+ |      fw IP           |       From    |                         To                              | +-+ |                                      |  net  | Green |  Blue |  DMZ  |   fw  |VPN-Net|VPN-Blue | +-+ | Internet/29          |  Net          |   /   |   -   |   -   |   ? |  ?   |       |    ?    | +-+ | 192.168.100.253/24    |  Green        |   ? |  /   |   ?   |   ?   |   ?   |   ?   |    ?    |     --+ | 192.168.54.253/24     |  Blue         |   ? |  -   |   /   |   ?   |   -   |   -   |    -    | +-+ | 192.168.10.253/24     |  DMZ          |   ? |  -   |   -   |   /   |   -   |   -   |    -    |  +-+ | All of the Above      |  fw           |   ? |  -   |   -   |   ?   |   /   |    +-+ | Internet/29           |  VPN-Net      |  ??? |  ?   |   -   |   ?   |   -   |   /  |    -     |  +-+ | 192.168.54.253        |  VPN-Blue     |  ??? |  -   |   ?   |   ?   |   -   |   -  |    /     |  +-+ Net = Internet Green = Trusted Blue = Untrusted DMZ = Servers reachable from the internet

The IPv6 version will use the same logicp

Shorewall
Shorewall will not be required until we need to do some routing.