IPsec public ip networks between two hosts using StrongSwan

In one of my previous articles I wrote about an IPSEC transport between two hosts. That was pretty easy to set up (you might take that as basis if you do use this post). All traffic between those two IPs had been encrypted. Now let’s do that for public IP networks instead of just two IPs.

The goal is, to have all traffic between given public ip networks (here y.y.y.y/26, x.x.x.x/27 and a.a.a.a/27) encrypted. So that if the two hosts communicate with each other, everything is encrypted by IPSEC.

Let’s assume the following:

  • node1
    • x.x.x.x/27
    • y.y.y.y/26
  • node2
    • a.a.a.a/27

On node1 /etc/ipsec.conf is configured like this:

# ipsec.conf - strongSwan IPsec configuration file
 
conn general
    authby=ecdsasig
    compress=no
    type=tunnel
    auto=start
    # this is the tunnel ip of the local machine i.e. the local endpoint
    left=x.x.x.x
    # the local networks
    leftsubnet=x.x.x.x/27,y.y.y.y/26
    leftsigkey=/etc/ipsec.d/public/node1.pub.key
 
include /etc/ipsec.d/*.conf

Additionally a configuration file for the node1-to-node2 connection is created in /etc/ipsec.d/node2.conf:

conn node1-node2
    also=general
    # the remote endpoint
    right=a.a.a.a
    # the remote networks
    rightsubnet=a.a.a.a/27
    rightsigkey=/etc/ipsec.d/public/node2.pub.key

On node2 it does look pretty much the same, just reversed:

# ipsec.conf - strongSwan IPsec configuration file
 
conn general
    authby=ecdsasig
    compress=no
    type=tunnel
    auto=start
    # this is the tunnel ip of the local machine i.e. the local endpoint
    left=a.a.a.a
    # the local networks
    leftsubnet=a.a.a.a/27
    leftsigkey=/etc/ipsec.d/public/node2.pub.key
 
include /etc/ipsec.d/*.conf

Additionally a configuration file for the node1-to-node2 connection is created in /etc/ipsec.d/node1.conf:

conn node2-node1
    also=general
    right=x.x.x.x
    rightsubnet=x.x.x.x/27,y.y.y.y/26
    rightsigkey=/etc/ipsec.d/public/node1.pub.key

That’s all. Restart ipsec on both nodes and ping around.

No Comments

Post a Comment