strongswan: entirely virtual subnet [closed]
I recently set up a strongswan IPSec VPN to access some non-public services of my home server from my android smartphone. I am using OpenVPN on some other devices for the same task, but chose strongswan for the phone, as IKEv2 is supposed (correct me if I am wrong) to be very resource friendly on mobile devices.
The current (openvpn) setup consists of one server (virtual ip: 10.0.0.2) and multiple clients (all in the 10.0.0.0/24 subnet). The routes on all parties are set up to route only packets through the vpn, that are dedicated to this subnet. (I don't want to access the local subnet of my server from a client and I also don't want to route all the traffic of my clients through the server)
Now I kind of managed to get things going with strongswan (server: 5.0.4, client: official strongswan android app 1.3.0), but I am not completely there yet. First of all, the server configuration:
config setup
conn %default
keyexchange=ikev2
conn android
left=%any
leftauth=pubkey
leftcert=serverCert.pem
leftid=vpn.mydomain.com
leftsourceip=10.10.10.128
leftfirewall=yes
right=%any
rightsourceip=10.10.10.0/24
rightauth=pubkey
rightcert=clientCert_mymobilephone.pem
rightauth2=eap-mschapv2
auto=start
This assigns the IP 10.10.10.1 to my phone, but no IP to the server on any if its interfaces, which would be what I want. I can still access my server via the VPN by using its local IP (192.168.1.2), which is not really what I intended ;)
I would like to migrate all clients (mostly notebooks) from OpenVPN to strongswan, but the issue above prevents me from making the switch. I tried numerous different strongswan configurations, but none could match my OpenVPN config. Is that even possible, if so how?
Note that opposed to OpenVPN, StrongSWAN is not intended to be used in this fashion - it does not create virtual interfaces and does not assign virtual IP addresses to both sides of the tunnel. What you definitely could do is adding the address 10.0.0.2 to one of your interfaces on the server side
ip addr add 10.0.0.2/32 dev eth0
and adding the appropriate "leftsubnet" directive to your config so it would be part of the IPSEC Phase 2 exchange. Needless to say you would need to be using ESP with tunneling in this case.