strongswan: entirely virtual subnet [closed]

vpn ipsec strongswan

I recently set up a strongswan IPSec VPN to access some non-public services of my home server from my android smartphone. I am using OpenVPN on some other devices for the same task, but chose strongswan for the phone, as IKEv2 is supposed (correct me if I am wrong) to be very resource friendly on mobile devices.

The current (openvpn) setup consists of one server (virtual ip: 10.0.0.2) and multiple clients (all in the 10.0.0.0/24 subnet). The routes on all parties are set up to route only packets through the vpn, that are dedicated to this subnet. (I don't want to access the local subnet of my server from a client and I also don't want to route all the traffic of my clients through the server)

Now I kind of managed to get things going with strongswan (server: 5.0.4, client: official strongswan android app 1.3.0), but I am not completely there yet. First of all, the server configuration:

config setup

conn %default
  keyexchange=ikev2

conn android
  left=%any
  leftauth=pubkey
  leftcert=serverCert.pem
  leftid=vpn.mydomain.com
  leftsourceip=10.10.10.128
  leftfirewall=yes
  right=%any
  rightsourceip=10.10.10.0/24
  rightauth=pubkey
  rightcert=clientCert_mymobilephone.pem
  rightauth2=eap-mschapv2
  auto=start

This assigns the IP 10.10.10.1 to my phone, but no IP to the server on any if its interfaces, which would be what I want. I can still access my server via the VPN by using its local IP (192.168.1.2), which is not really what I intended ;)

I would like to migrate all clients (mostly notebooks) from OpenVPN to strongswan, but the issue above prevents me from making the switch. I tried numerous different strongswan configurations, but none could match my OpenVPN config. Is that even possible, if so how?


Note that opposed to OpenVPN, StrongSWAN is not intended to be used in this fashion - it does not create virtual interfaces and does not assign virtual IP addresses to both sides of the tunnel. What you definitely could do is adding the address 10.0.0.2 to one of your interfaces on the server side

ip addr add 10.0.0.2/32 dev eth0

and adding the appropriate "leftsubnet" directive to your config so it would be part of the IPSEC Phase 2 exchange. Needless to say you would need to be using ESP with tunneling in this case.

Related

Infiniband port status UP but can't open UMAD port ((null):0)
Tag/Untag VLANs from Port Perspective on HP Switch
Is it possible to specify rule processing order in Amazon Route 53?
"dsquery computer -inactive x" ignores very old obviously inactive computers
How do you use ELB's support for PROXY protocol version 1 securely?
How to Configure Secure Connectivity between Multiple Subnets
How to make exception in password locking via pam_tally2 for specific user?
AOT - Angular 6 - Directive SomeComponent, Expected 0 arguments, but got 1. for self made Component
Reasons not to build your own bug tracking system [closed]
Python socket receive - incoming packets always have a different size
Java: Enumeration from Set<String>
Insert variable values in the middle of a string