[strongSwan] understanding openswan

Noel Kuntze noel at familie-kuntze.de
Thu Nov 14 20:10:50 CET 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Marcelo,

Take out the rightsubnet parameter. Your iOS device shurely doesn't want to provide your debian box with access to the 192.168.22.0/24 netrange.

You can push name servers to the other peer by using the "leftdns" parameter.
In what netrange are your DNS servers? If you want to have access to the subnet the other peer provides to you, you need to
set it up to do that on that peer.
See [1] for what caveats there are and how to do it.

[1] http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling

Regards
Noel Kuntze

On 14.11.2013 19:49, Marcelo Barbudas wrote:
> Hi Noel,
>
> I'm trying something simple, taking one step at a time, to establish
> the VPN connection and from the client's side (iOS) to still be able
> to navigate freely (to hosts not through the VPN). This is the server
> config I am using. As soon as the connection is established the DNS
> stops working (I don't have a dns1 or left/right dns entry anywhere)
> and if I try a http connection to an ip that doesn't work either.
>
> conn ios
>         keyexchange=ikev1
>         authby=xauthrsasig
>         xauth=server
>         left=%defaultroute
>         leftfirewall=yes
>         leftcert=serverCert.pem
>         leftsubnet=192.168.21.0/24
>         right=%any
>         rightsubnet=192.168.22.0/24
>         rightsourceip=192.168.22.0/24
>         auto=add
>
> -M.
>
> On Thu, Nov 14, 2013 at 10:31 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>
> Hello Marcelo,
>
> 1) Yes, use leftsubnet and rightsubnet.
> 2) Yes, use leftdns.
> 3) Use left for your local config and right for your right config.
> There is documentation for an iOS tunnel in the wiki [1].
>
> [1] http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
>
> Regards
> Noel Kuntze
>
> On 14.11.2013 19:21, Marcelo Barbudas wrote:
> >>> Hi.
> >>>
> >>> I'm coming from the world of OpenVPN and having a hard time
> >>> understanding how to implement some features using strongswan.
> >>>
> >>> I have been googling and reading docs. I still have some questions
> >>> that I can't figure out.
> >>>
> >>> 1) If I create a host-to-net vpn (iOS to Debian) can I make the client
> >>> (iOS) NOT send all the traffic through the VPN? I'd like only the
> >>> communication with certain hosts to be over VPN
> >>> 2) Can I push my own DNS server with custom entries for the local network?
> >>> 3) Left vs Right what's the easiest way to create a host-to-net?
> >>>
> >>> Again, I apologize for the beginner questions. I respect your time and
> >>> have been RTFM-ing around.
> >>>
> >>> -M.
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.strongswan.org
> >>> https://lists.strongswan.org/mailman/listinfo/users
>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJShSA5AAoJEDg5KY9j7GZY0G0P/jbc5olyNPs4oTjQmQrT4R/0
/ILcrzqLniwg8bbdDBoUsu+vFIlh8HJYaf13LsF9mCXDfnr2iRxheLXQN3lYLr2d
Km9SHAZTHC5wofccXQuBOYZ54vZ70PQNRP55OknFpweFapX8MVZr50VT9tJ+Lv48
zxNT9SM7SLXz30dEkYooFUyHnz+lhRX1lxpx+agcn+I6a/IXh2OTaLe9XwZfpoR+
xdp0V+uLjNhNpogBnwe4nVEBWtRxXmDaOBigVOSLo87e6JBjVTijjXQyqBNN8DSZ
EMsHDiI9A6eyxQBEEk45OuHc5yP+2O6hzZ5Hal1YNzze95AY57AAQVUg7NkBaX4b
PEygn39/sWQPN++ZFMNjh0SbD8OeTctIw6NC8Ar9oSZhRmEWnHmHWnh+ES3vrufS
qXI1/xg4JFJtPYb42/Gu97/ny1Ky+/VBnA+I5bAVU4radnbc+XBNiARG4TOWbvF7
JH04PzHkU5Og7TqBuKAjJ70E6pMh9JLvZ1Bh60PLoa+9X88jsROzfUYyJLBwtdna
dnp4lIbmF43ZB7wBsNwKNgM+SlB40hw6x/c0amXkPUwUoR62GSj7joQ8rb0+YIOe
w+CqdaXfpEOEvmjjr79oIKoCYMVaghqwIyFON/cPAO7RDjlhf8eA+t5uPszqcGnn
It5eBR2IMW4RqZlwusqX
=ZdcB
-----END PGP SIGNATURE-----





More information about the Users mailing list