The authentication is based on Pre-Shared Keys (<b>PSK</b>)
followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b>
based on user names and passwords. Next <b>carol</b> and <b>dave</b> request a
-<b>virtual IP</b> via the IKE Mode Config protocol by using the
-<b>leftsourceip=%modeconfig</b> parameter.
+<b>virtual IP</b> via the IKE Mode Config protocol by using the <b>leftsourceip=%modeconfig</b>
+parameter. The virtual IP addresses are registered under the users' XAUTH identity.
<p>
Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically
inserts iptables-based firewall rules that let pass the tunneled traffic.
carol::cat /var/log/auth.log::extended authentication was successful::YES
dave::cat /var/log/auth.log::extended authentication was successful::YES
-moon::cat /var/log/auth.log::carol.*extended authentication was successful::YES
-moon::cat /var/log/auth.log::dave.*extended authentication was successful::YES
+moon::ipsec leases rw 10.3.0.1::carol::YES
+moon::ipsec leases rw 10.3.0.2::dave::YES
carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES
-moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES
-moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
+ xauth_identity=carol
auto=add
carol@strongswan.org @sun.strongswan.org : PSK 0sR64pR6y0S5d6d8rNhUIM7aPbdjND4st5
-: XAUTH carol "4iChxLT3"
+carol : XAUTH "4iChxLT3"
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random xauth
}
# pluto uses optimized DH exponent sizes (RFC 3526)
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
+ xauth_identity=dave
auto=add
: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-: XAUTH dave "ryftzG4A"
+dave : XAUTH "ryftzG4A"
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random xauth
}
# pluto uses optimized DH exponent sizes (RFC 3526)
keyingtries=1
authby=xauthpsk
xauth=server
+
+conn rw
left=PH_IP_MOON
leftid=@moon.strongswan.org
leftsubnet=10.1.0.0/16
leftfirewall=yes
right=%any
+ rightsourceip=10.3.0.0/24
auto=add
-
-conn carol
- rightid=carol@strongswan.org
- rightsourceip=PH_IP_CAROL1
-
-conn dave
- rightid=dave@strongswan.org
- rightsourceip=PH_IP_DAVE1
@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-: XAUTH carol "4iChxLT3"
+carol : XAUTH "4iChxLT3"
-: XAUTH dave "ryftzG4A"
+dave : XAUTH "ryftzG4A"
# /etc/strongswan.conf - strongSwan configuration file
pluto {
- load = sha1 sha2 md5 aes des hmac gmp random
+ load = sha1 sha2 md5 aes des hmac gmp random xauth
}
# pluto uses optimized DH exponent sizes (RFC 3526)