ipsec on linux,a simple and fast question

Question

Is my first VPN, for testing

this is my simple network scheme

LAN1(private 10.10.0.0/24) --->VPN-----internet---<VPN---<LAN2(private 10.20.0.0/24)

on /etc/ipsec.conf i use..

...
        left=ippublicserver1
        leftid=fqdnserverA
        leftsubnet=10.10.0.0/24
        right=ippublicserver2
        rightsubnet=10.20.0.0/24
....

My question is really simple..,on the serverB I have to use

An IDENTICAL ipsec.conf
A Different ipsec.conf where rigthsubnet become leftsubnet?

I think..B, is correct?

mostly correct. VPNs are a complex matter, and I would advise investigating it more before using them in production. — Rui F Ribeiro, Dec 31 '17 at 16:59
Is not production,virtual machines for testing and improve knowledge — elbarna, Dec 31 '17 at 17:05

score 1 · Accepted Answer · answered Dec 31 '17 at 19:45

Correct: A Different ipsec.conf where rigthsubnet become leftsubnet

The statement leftsubnet is every a server at where you write a config, e.g you lan

In this example:

LAN1 Gateway, leftsubnet is 10.10.0.0/24 and rightsubnet is 10.20.0.0/24

LAN2 Gateway, leftsubnet is 10.20.0.0/24 and rightsubnet is 10.10.0.0/24

score 1 · Answer 2 · answered Jan 01 '18 at 01:50

You can use the SAME ipsec.conf on both servers. Quoting from https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection (my emphasis),

Connection descriptions are defined in terms of a left endpoint and a right endpoint. [...] For every connection description an attempt is made to figure out whether the local endpoint should act as the left or the right endpoint. This is done by matching the IP addresses defined for both endpoints with the IP addresses assigned to local network interfaces [...]

What this means is that although there is a nominal convention that left = local, it doesn't actually matter.

ipsec on linux,a simple and fast question

2 Answers2