Last active
December 4, 2019 08:07
-
-
Save m4ce/99a99c2f13846e2658126574789635d1 to your computer and use it in GitHub Desktop.
Site-to-site tunnel between StrongSwan (behind NAT) and Libreswan
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| conn site1 | |
| left=%defaultroute | |
| leftid=@site1 | |
| leftrsasigkey=/etc/ipsec.d/certs/site1.pem | |
| right=<SITE2_IP> | |
| rightid=@site2 | |
| rightrsasigkey="dns:<Base64 RFC 3110 RSA key from site2>" | |
| authby=rsasig | |
| auto=add | |
| type=tunnel | |
| keyexchange=ikev1 | |
| esp=aes128-sha1-modp2048 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| conn server | |
| left=%any | |
| leftid=@site1 | |
| leftrsasigkey=<generate the Base64 RFC 3110 RSA key from site1.pem> | |
| right=<SITE2_IP> | |
| rightid=@site2 | |
| rightrsasigkey=<key from `ipsec showhostkey --right`> | |
| authby=rsasig | |
| ikev2=never | |
| pfs=yes | |
| type=tunnel |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
in the config above, do we need to have leftid=@site2 instead of @site1? same for right=<SITE2_IP>
Also, are both sides behind nat or only the first? I'm learning this stuff right now so I'm not yet familiar with the configs.