[strongSwan] multiple right subnets - road warrior config

Arun G Nair arungnair at gmail.com
Wed Mar 27 05:42:45 CET 2013 

Got it working. I created a virtual interface and used different left
IP addresses. Now I can connect to both networks.

Regards,

On Tue, Mar 26, 2013 at 10:57 AM, Arun G Nair <arungnair at gmail.com> wrote:
> Any clue on what might be happening ?
>
> On Tue, Mar 26, 2013 at 1:40 AM, Arun G Nair <arungnair at gmail.com> wrote:
>> Hi,
>>
>>    I'm trying to connect to a Fortigate vpn gateway with Strongswan
>> 5.0.2 from linux. I've used parameters from windows fortinet ipsec
>> client (config below) and I'm able to successfully connect to the
>> gateway. But I can't connect to multiple remote subnets at the same
>> time. I can only connect to the last subnet defined. If I re-order the
>> definitions, I can connect to the other subnet. I've done this before
>> with site to site vpn connections but this is a road warrior set up.
>> What am I missing here ?
>>
>>
>> PS:   I've not tried connecting to network-mgmt. That was in the docs
>> provided for fortinet on windows, but I don't have any servers in that
>> subnet.
>>
>> [~]> cat /opt/strongswan/etc/ipsec.conf
>> # ipsec.conf - strongSwan IPsec configuration file
>>
>> # basic configuration
>>
>> config setup
>>         # strictcrlpolicy=yes
>>         uniqueids=never
>>         #charondebug="dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2,
>> enc 1, lib 1"
>>
>> conn %default
>>         ikelifetime=8h
>>         keylife=30m
>>         rekeymargin=3m
>>         keyingtries=3
>>         keyexchange=ikev1
>>         ike=3des-sha-modp1536,aes-sha-modp1536
>>         esp=3des-sha-modp1536,aes-sha-modp1536
>>         aggressive=yes
>>         authby=secret
>>
>> conn network
>>         left=192.168.1.12
>>         leftid=user
>>         right=gateway.net
>>         rightid=vv.xx.yy.zz
>>
>> conn network-mgmt
>>         also=network
>>         rightsubnet=xx.yy.248.8/29
>>         auto=start
>>
>> conn network-trust
>>         also=network
>>         rightsubnet=xx.yy.248.32/28
>>         auto=start
>>
>> conn network-dmz
>>         also=network
>>         rightsubnet=xx.yy.248.48/28
>>         auto=start
>>
>>
>> [~]> sudo /opt/strongswan/sbin/ipsec statusall
>> Status of IKE charon daemon (strongSwan 5.0.2, Linux
>> 2.6.32-358.2.1.el6.i686, i686):
>>   uptime: 7 seconds, since Mar 26 01:24:51 2013
>>   malloc: sbrk 135168, mmap 0, used 95552, free 39616
>>   worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0,
>> scheduled: 3
>>   loaded plugins: charon aes des sha1 sha2 md5 random nonce x509
>> revocation constraints pubkey pkcs1 pkcs8 pgp dn
>> skey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
>> socket-default stroke updown xauth-generic
>> Listening IP addresses:
>>   192.168.1.12
>> Connections:
>> network-mgmt:  192.168.1.12...gateway.net  IKEv1 Aggressive
>> network-mgmt:   local:  [user] uses pre-shared key authentication
>> network-mgmt:   remote: [vv.xx.yy.zz] uses pre-shared key authentication
>> network-mgmt:   child:  dynamic === xx.yy.248.8/29 TUNNEL
>> network-trust:   child:  dynamic === xx.yy.248.32/28 TUNNEL
>>  network-dmz:   child:  dynamic === xx.yy.248.48/28 TUNNEL
>> Security Associations (1 up, 0 connecting):
>> network-mgmt[1]: ESTABLISHED 6 seconds ago,
>> 192.168.1.12[user]...vv.xx.yy.zz[vv.xx.yy.zz]
>> network-mgmt[1]: IKEv1 SPIs: a3676024cee6d6d2_i* b8f961a5eedca572_r,
>> pre-shared key reauthentication in 7 hours
>> network-mgmt[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
>> network-mgmt{1}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c99b5d07_i 381c7157_o
>> network-mgmt{1}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 24 minutes
>> network-mgmt{1}:   192.168.1.12/32 === xx.yy.248.8/29
>> network-trust{2}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c44f6125_i 381c7158_o
>> network-trust{2}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 25 minutes
>> network-trust{2}:   192.168.1.12/32 === xx.yy.248.32/28
>>  network-dmz{3}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c2348492_i 381c7159_o
>>  network-dmz{3}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
>> rekeying in 24 minutes
>>  network-dmz{3}:   192.168.1.12/32 === xx.yy.248.48/28
>>
>>
>>
>> [~]> cat /opt/strongswan/etc/ipsec.secrets
>> user : PSK passphrase
>>
>>
>> Any help is appreciated.
>>
>> Regards,
>> Arun G Nair
>
>
>
> --
> ::: Keep Smiling :::



-- 
::: Keep Smiling :::

More information about the Users mailing list