I'm trying to set up IPSec secured connection to the gateway. Have three hosts:
A:
eth1 - fec0:1::1/64
B:
eth1 - fec0:1::2/64
eth2 - fec0:2::2/64
which is gateway between A and C; forwarding is set to 1 in sysctl
C:
eth1 - fec0:2:3/64
I'd like to build IPsec connecten between A and B, which will be insecure forwarded between B and C.
ipsec.conf:
config setup
charondebug="ike 2, knl 2, cfg 1"
ca strongswan
cacert=ca.crt
auto=add
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
mobike=no
keyexchange=ikev2
conn host-host
left=fec0:1::1
leftcert=hostA.crt
leftid=@hostA
right=fec0:1::2
rightid=%any
type=transport
auto=add
B's configuration looks similiar. I tried to set auto=route, but then I'm not able to initialize any connection.
Using such configuration only traffic addressed to B is secured. When I try to send something from A to C – it is on the whole path insecured.
Any ideas how to solve it?
Best Answer
That's exactly how it should be. You established a Transport Mode IPsec SA between A and B, which means there are IPsec policies that only apply for traffic between these two hosts. If you want to secure traffic between A and C (on the path between A and B) you have to use tunnel mode and configure the appropriate traffic selectors/policies.
Either add an additional connection:
Or change the existing connection:
The configuration on B has to be changed accordingly.