[strongSwan] understanding openswan

Christian Huldt christian at solvare.se
Thu Nov 14 22:39:16 CET 2013 

That is up to the client, there is something called something similar to "send all traffic" in the iOs vpn configuration screen, just turn it off

> 14 nov 2013 kl. 21:04 skrev Marcelo Barbudas <nostef at gmail.com>:
> 
> Removed rightsubnet and it still isn't working.
> 
> I found an old thread
> https://lists.strongswan.org/pipermail/users/2013-May/009233.html that
> described a similar issue, emailed the OP, and he hasn't figured it
> out either. iOS tries to forward everything.
> 
> -M.
> 
>> On Thu, Nov 14, 2013 at 11:10 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>> 
>> Hello Marcelo,
>> 
>> Take out the rightsubnet parameter. Your iOS device shurely doesn't want to provide your debian box with access to the 192.168.22.0/24 netrange.
>> 
>> You can push name servers to the other peer by using the "leftdns" parameter.
>> In what netrange are your DNS servers? If you want to have access to the subnet the other peer provides to you, you need to
>> set it up to do that on that peer.
>> See [1] for what caveats there are and how to do it.
>> 
>> [1] http://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
>> 
>> Regards
>> Noel Kuntze
>> 
>>> On 14.11.2013 19:49, Marcelo Barbudas wrote:
>>> Hi Noel,
>>> 
>>> I'm trying something simple, taking one step at a time, to establish
>>> the VPN connection and from the client's side (iOS) to still be able
>>> to navigate freely (to hosts not through the VPN). This is the server
>>> config I am using. As soon as the connection is established the DNS
>>> stops working (I don't have a dns1 or left/right dns entry anywhere)
>>> and if I try a http connection to an ip that doesn't work either.
>>> 
>>> conn ios
>>>        keyexchange=ikev1
>>>        authby=xauthrsasig
>>>        xauth=server
>>>        left=%defaultroute
>>>        leftfirewall=yes
>>>        leftcert=serverCert.pem
>>>        leftsubnet=192.168.21.0/24
>>>        right=%any
>>>        rightsubnet=192.168.22.0/24
>>>        rightsourceip=192.168.22.0/24
>>>        auto=add
>>> 
>>> -M.
>>> 
>>>> On Thu, Nov 14, 2013 at 10:31 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>> Hello Marcelo,
>>> 
>>> 1) Yes, use leftsubnet and rightsubnet.
>>> 2) Yes, use leftdns.
>>> 3) Use left for your local config and right for your right config.
>>> There is documentation for an iOS tunnel in the wiki [1].
>>> 
>>> [1] http://wiki.strongswan.org/projects/strongswan/wiki/IOS_(Apple)
>>> 
>>> Regards
>>> Noel Kuntze
>>> 
>>> On 14.11.2013 19:21, Marcelo Barbudas wrote:
>>>>>> Hi.
>>>>>> 
>>>>>> I'm coming from the world of OpenVPN and having a hard time
>>>>>> understanding how to implement some features using strongswan.
>>>>>> 
>>>>>> I have been googling and reading docs. I still have some questions
>>>>>> that I can't figure out.
>>>>>> 
>>>>>> 1) If I create a host-to-net vpn (iOS to Debian) can I make the client
>>>>>> (iOS) NOT send all the traffic through the VPN? I'd like only the
>>>>>> communication with certain hosts to be over VPN
>>>>>> 2) Can I push my own DNS server with custom entries for the local network?
>>>>>> 3) Left vs Right what's the easiest way to create a host-to-net?
>>>>>> 
>>>>>> Again, I apologize for the beginner questions. I respect your time and
>>>>>> have been RTFM-ing around.
>>>>>> 
>>>>>> -M.
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at lists.strongswan.org
>>>>>> https://lists.strongswan.org/mailman/listinfo/users
>>> 
>>> 
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.22 (GNU/Linux)
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>> 
>> iQIcBAEBCAAGBQJShSA5AAoJEDg5KY9j7GZY0G0P/jbc5olyNPs4oTjQmQrT4R/0
>> /ILcrzqLniwg8bbdDBoUsu+vFIlh8HJYaf13LsF9mCXDfnr2iRxheLXQN3lYLr2d
>> Km9SHAZTHC5wofccXQuBOYZ54vZ70PQNRP55OknFpweFapX8MVZr50VT9tJ+Lv48
>> zxNT9SM7SLXz30dEkYooFUyHnz+lhRX1lxpx+agcn+I6a/IXh2OTaLe9XwZfpoR+
>> xdp0V+uLjNhNpogBnwe4nVEBWtRxXmDaOBigVOSLo87e6JBjVTijjXQyqBNN8DSZ
>> EMsHDiI9A6eyxQBEEk45OuHc5yP+2O6hzZ5Hal1YNzze95AY57AAQVUg7NkBaX4b
>> PEygn39/sWQPN++ZFMNjh0SbD8OeTctIw6NC8Ar9oSZhRmEWnHmHWnh+ES3vrufS
>> qXI1/xg4JFJtPYb42/Gu97/ny1Ky+/VBnA+I5bAVU4radnbc+XBNiARG4TOWbvF7
>> JH04PzHkU5Og7TqBuKAjJ70E6pMh9JLvZ1Bh60PLoa+9X88jsROzfUYyJLBwtdna
>> dnp4lIbmF43ZB7wBsNwKNgM+SlB40hw6x/c0amXkPUwUoR62GSj7joQ8rb0+YIOe
>> w+CqdaXfpEOEvmjjr79oIKoCYMVaghqwIyFON/cPAO7RDjlhf8eA+t5uPszqcGnn
>> It5eBR2IMW4RqZlwusqX
>> =ZdcB
>> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list