StrongSwan IPSEC Policy

Question

I have working connection A->B and B->C

I need a little help after 3 days of trying, still can't get the desired effect

what should I set in SITE B to get connection from A->C and C->A using ipsec policy ?

SITE A Mikrotik

local 10.10.0.0/24

Public= 179.x.x.x

SITE B ubuntu serv

local 192.168.0.0/24

Public= 216.x.x.x

SITE C Pfsense

local 192.168.255.0/24

Public=218.x.x.x

conn B->A

    type=tunnel
    auto=add
    keyexchange=ikev2
    authby=secret
    leftid=216.x.x.x
    left=216.x.x.x
    leftsubnet=192.168.0.0/24
    right=179.x.x.x
    rightsubnet=10.10.0.0/24
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1!
    aggressive=no
    keyingtries=%forever
    ikelifetime=28800s
    lifetime=3600s
    dpddelay=30s
    dpdtimeout=120s

conn B->C

    type=tunnel
    auto=add
    keyexchange=ikev2
    authby=secret
    leftid=216.x.x.x
    left=216.x.x.x
    leftsubnet=192.168.0.0/24
    right=218.x.x.x
    rightsubnet=192.168.255.0/24
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1!
    aggressive=no
    keyingtries=%forever
    ikelifetime=28800s
    lifetime=3600s
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=restart

Answer 1

In this classic hub and spoke scenario, you need to negotiate IPsec policies (via left|rightsubnet) that include A's and C's subnet on the local side of these connections.

So for B->A you'd have to configure leftsubnet=192.168.0.0/24,192.168.255.0/24 and for B->C leftsubnet=192.168.0.0/24,10.10.0.0/24.

On A and C, you need a similar change so that on A the remote traffic selector includes C's subnet and vice-versa (you could also propose 0.0.0.0/0 to let it get narrowed to the actual remote subnets by B). Note that both of these things only work if the host that connects to B supports multiple subnets per CHILD_SA (which might not be the case for Mikrotik). If not, you'll have to create a separate connection for each subnet (see this FAQ entry on the strongSwan wiki).