[strongSwan] split tunneling
Anton
warm at mtele.pro
Sun May 19 05:27:59 CEST 2013
Sorry. I did not immediately notice that Your rightsourceip belongs to leftsubnet.
Try to set rightsourceip=192.168.34.7 or something other then address from subnet from leftsubnet=172.16.1.0/24.
Here is my working example (two strongswan connectiong, here is server side):
conn nbook-psk
leftauth=psk
leftid=@nbook
leftsubnet=192.168.0.0/24,192.168.10.16/28,172.16.16.9/32
right=%any
rightid=@nbook
rightsourceip=192.168.34.2
rightauth=psk
mobike=yes
keyexchange=ikev2
dpdaction=clear
dpddelay=30s
dpdtimeout=60s
compress=yes
auto=add
However AFAIK client need not to use rightsourceip at all. See rw examples.
В Sat, 18 May 2013 19:19:08 +0200
Daniel Novy <pepus at ackee.cz> пишет:
> Hi,
> I have commented out rightsubnet, but the situation is the same. VPN
> works, but all traffic is routed into VPN.
>
> Dan.
>
> Dne 2013-05-18 19:08, Anton napsal:
> > Hi.
> >
> > Why do You have leftsubnet the same as rightsubnet ?
> >
> > Try to comment or delete string 'rightsubnet=172.16.1.0/24'.
> > 'rightsourceip' should be enough for working tunnel.
> >
> >
> >
> > В Sat, 18 May 2013 18:47:58 +0200
> > Daniel Novy <pepus at ackee.cz> пишет:
> >
> >> Hello,
> >>
> >> I'm trying to configure a VPN for my iPhone, but I want to route
> >> only a
> >> specific traffic to this VPN.
> >> Just the 172.16.1.0/24 subnet, other connectinos should the iPhone
> >> initiate directly.
> >>
> >> I have strongswan 5.0.1, and my configuration is:
> >>
> >> root at server:~# cat /usr/local/etc/ipsec.conf
> >> conn client1device1
> >> keyexchange=ikev1
> >> authby=xauthrsasig
> >> xauth=server
> >> left=%defaultroute
> >> leftsubnet=172.16.1.0/24
> >> leftfirewall=yes
> >> leftcert=serverCert.pem
> >> right=%any
> >> rightsubnet=172.16.1.0/24
> >> rightsourceip=172.16.1.1
> >> rightcert=sharedClient1device1Cert.pem
> >> auto=add
> >>
> >> Routing table of my iphone after the VPN is up:
> >>
> >> iPhone:~ root# netstat -nr
> >> Routing tables
> >> Internet:
> >> Destination Gateway Flags Refs Use Netif
> >> Expire
> >> default utun0 UCS 2 0 utun0
> >> default 10.38.32.178 UGSc 3 0 pdp_ip
> >> default 192.168.0.83 UGSc 1 0 en0
> >> 10.38.32.178 10.38.32.178 UH 4 0 pdp_ip
> >> 10.38.32.178/32 pdp_ip0 UCS 1 0 pdp_ip
> >> 46.255.224.60 utun0 UHW 1 2 utun0
> >> [my_vpnserver_public_ip] 192.168.0.83 UGHS 3
> >> 2 en0
> >> 127 127.0.0.1 UCS 1 0 lo0
> >> 127.0.0.1 127.0.0.1 UH 2 0 lo0
> >> 169.254 link#8 UCS 1 0 en0
> >> 172.16.1.1 172.16.1.1 UH 1 11 utun0
> >> 192.168.0/16 link#8 UCS 3 0 en0
> >> 192.168.0.83 0:16:3e:59:6e:7e UHLW 3 28 en0
> >> 1165
> >> 192.168.1.98 c8:bc:c8:e7:1f:78 UHLW 3 93 en0
> >> 1185
> >> 192.168.1.99 127.0.0.1 UHS 1 0 lo0
> >>
> >>
> >> But my all my traffic goes still through the VPN, as it adds utun0
> >> as a
> >> default route.
> >>
> >> Can anyone suggest what is wrong? How to force it to route only the
> >> 172.16.1.0/24 subnet using the VPN?
> >>
> >> Thanks!
> >>
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at lists.strongswan.org
> >> https://lists.strongswan.org/mailman/listinfo/users
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list