VPN scenario possible?

llaakkss999

Prominent
Feb 1, 2018
2
0
510
Hi,

I'm currently starting with VPN and I'm not too sure what I can and what I can not do. Hope you gyus could help me to clear few things up.

1. I have VPS on Digital Ocean, Ubuntu 16.04
2. I've started a StrongSwan VPN on it.
3. I succesfully connected to the server with my Windows client and my conections to the internet are routed via vps. It is vps's IP that I use outside. So that's fine.
4. What I'm actually trying to do is to make what I belive is called host-site connection.
5. I have a device with GSM modem and VPN capability. I succesfully connected it to the VPN:

ipsec statusall:

Connections:
rw: %any...%any IKEv1 Aggressive, dpddelay=15s
rw: local: [my.vps.ip] uses pre-shared key authentication
rw: remote: uses pre-shared key authentication
rw: child: 172.17.0.0/16 === dynamic TUNNEL, dpdaction=clear
ikev2-vpn: %any...%any IKEv2, dpddelay=300s
ikev2-vpn: local: [159.89.10.55] uses public key authentication
ikev2-vpn: cert: "C=US, O=VPN Server, CN=myip"
ikev2-vpn: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2-vpn: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
rw[10]: ESTABLISHED 88 seconds ago, 159.89.x.x[159.89.x.x]...83.x.x.x[192.168.1.22]
rw[10]: IKEv1 SPIs: da54ad243ec56b10_i 4c86445740b464d6_r*, pre-shared key reauthentication in 7 hours
rw[10]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

***

What I can not do:


Device - - Internet - - VPN Gateway on OpenSwan - - Internet -- client

basically:
1. The client and the device are connected to the VPN independently and they are far apart.
2. StrongSwan routes the way between them acting as server.

Is that possible?
In all scenarios on the strongswan wiki gateway has two network interfaces, I have a feeling that this is crucial but can anyone explain it to me a little more?

Thanks,

Bernie
 
Solution
It should be possible but it is part of the vpn configuration on the server. I wish I could tell you the details but I have only done this on commerical routers/firewalls.

In general you vpn can run a couple ways.

The more common way a corporate installation works is the VPN gives you a IP address on local company network. This allows you to access the data on the company lan. Since other VPN users also have ip addresses on the corporate network you can access them. You must though use the LAN assigned by the VPN to do this. In corporate networks it is not as much a issue because things like domain servers make it easier to find other machine even though the ip may change.

Now what it appears you have done is the traffic...
It should be possible but it is part of the vpn configuration on the server. I wish I could tell you the details but I have only done this on commerical routers/firewalls.

In general you vpn can run a couple ways.

The more common way a corporate installation works is the VPN gives you a IP address on local company network. This allows you to access the data on the company lan. Since other VPN users also have ip addresses on the corporate network you can access them. You must though use the LAN assigned by the VPN to do this. In corporate networks it is not as much a issue because things like domain servers make it easier to find other machine even though the ip may change.

Now what it appears you have done is the traffic goes to your server and then goes back out to the internet. I suspect there is a LAN ip actually involved but it is hard to say if you can see it and if the vpn is configured to allow traffic between the lan ip.

It has been a long time since I messed with ubuntu, commercial firewalls are much simpler in some ways. You may be better off looking for a sample configuration that is designed for remote access to a company network rather than a vpn designed to give you a different internet IP address.
 
Solution