[strongSwan] understanding openswan

Marcelo Barbudas nostef at gmail.com
Thu Nov 14 21:04:01 CET 2013


Removed rightsubnet and it still isn't working.

I found an old thread
https://lists.strongswan.org/pipermail/users/2013-May/009233.html that
described a similar issue, emailed the OP, and he hasn't figured it
out either. iOS tries to forward everything.

-M.

On Thu, Nov 14, 2013 at 11:10 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Marcelo,
>
> Take out the rightsubnet parameter. Your iOS device shurely doesn't want to provide your debian box with access to the 192.168.22.0/24 netrange.
>
> You can push name servers to the other peer by using the "leftdns" parameter.
> In what netrange are your DNS servers? If you want to have access to the subnet the other peer provides to you, you need to
> set it up to do that on that peer.
> See [1] for what caveats there are and how to do it.
>
> [1] http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>
> Regards
> Noel Kuntze
>
> On 14.11.2013 19:49, Marcelo Barbudas wrote:
>> Hi Noel,
>>
>> I'm trying something simple, taking one step at a time, to establish
>> the VPN connection and from the client's side (iOS) to still be able
>> to navigate freely (to hosts not through the VPN). This is the server
>> config I am using. As soon as the connection is established the DNS
>> stops working (I don't have a dns1 or left/right dns entry anywhere)
>> and if I try a http connection to an ip that doesn't work either.
>>
>> conn ios
>>         keyexchange=ikev1
>>         authby=xauthrsasig
>>         xauth=server
>>         left=%defaultroute
>>         leftfirewall=yes
>>         leftcert=serverCert.pem
>>         leftsubnet=192.168.21.0/24
>>         right=%any
>>         rightsubnet=192.168.22.0/24
>>         rightsourceip=192.168.22.0/24
>>         auto=add
>>
>> -M.
>>
>> On Thu, Nov 14, 2013 at 10:31 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>>
>> Hello Marcelo,
>>
>> 1) Yes, use leftsubnet and rightsubnet.
>> 2) Yes, use leftdns.
>> 3) Use left for your local config and right for your right config.
>> There is documentation for an iOS tunnel in the wiki [1].
>>
>> [1] http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
>>
>> Regards
>> Noel Kuntze
>>
>> On 14.11.2013 19:21, Marcelo Barbudas wrote:
>> >>> Hi.
>> >>>
>> >>> I'm coming from the world of OpenVPN and having a hard time
>> >>> understanding how to implement some features using strongswan.
>> >>>
>> >>> I have been googling and reading docs. I still have some questions
>> >>> that I can't figure out.
>> >>>
>> >>> 1) If I create a host-to-net vpn (iOS to Debian) can I make the client
>> >>> (iOS) NOT send all the traffic through the VPN? I'd like only the
>> >>> communication with certain hosts to be over VPN
>> >>> 2) Can I push my own DNS server with custom entries for the local network?
>> >>> 3) Left vs Right what's the easiest way to create a host-to-net?
>> >>>
>> >>> Again, I apologize for the beginner questions. I respect your time and
>> >>> have been RTFM-ing around.
>> >>>
>> >>> -M.
>> >>>
>> >>> _______________________________________________
>> >>> Users mailing list
>> >>> Users at lists.strongswan.org
>> >>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJShSA5AAoJEDg5KY9j7GZY0G0P/jbc5olyNPs4oTjQmQrT4R/0
> /ILcrzqLniwg8bbdDBoUsu+vFIlh8HJYaf13LsF9mCXDfnr2iRxheLXQN3lYLr2d
> Km9SHAZTHC5wofccXQuBOYZ54vZ70PQNRP55OknFpweFapX8MVZr50VT9tJ+Lv48
> zxNT9SM7SLXz30dEkYooFUyHnz+lhRX1lxpx+agcn+I6a/IXh2OTaLe9XwZfpoR+
> xdp0V+uLjNhNpogBnwe4nVEBWtRxXmDaOBigVOSLo87e6JBjVTijjXQyqBNN8DSZ
> EMsHDiI9A6eyxQBEEk45OuHc5yP+2O6hzZ5Hal1YNzze95AY57AAQVUg7NkBaX4b
> PEygn39/sWQPN++ZFMNjh0SbD8OeTctIw6NC8Ar9oSZhRmEWnHmHWnh+ES3vrufS
> qXI1/xg4JFJtPYb42/Gu97/ny1Ky+/VBnA+I5bAVU4radnbc+XBNiARG4TOWbvF7
> JH04PzHkU5Og7TqBuKAjJ70E6pMh9JLvZ1Bh60PLoa+9X88jsROzfUYyJLBwtdna
> dnp4lIbmF43ZB7wBsNwKNgM+SlB40hw6x/c0amXkPUwUoR62GSj7joQ8rb0+YIOe
> w+CqdaXfpEOEvmjjr79oIKoCYMVaghqwIyFON/cPAO7RDjlhf8eA+t5uPszqcGnn
> It5eBR2IMW4RqZlwusqX
> =ZdcB
> -----END PGP SIGNATURE-----
>




More information about the Users mailing list