[strongSwan] Add routes? (Was: Anyone got strongSwan working with Aruba Networks (as a Aruba VIA client)?)
Jerry Lundström
jerry.lundstrom at iis.se
Mon Apr 28 11:33:25 CEST 2014
Hi Martin,
On mån, 2014-04-28 at 11:10 +0200, Martin Willi wrote:
> Your config already has a rightsubnet=10.1.0.0/16, so you can access
> these destinations through the tunnel. You probably want a leftsubnet as
> well to define the subnets for your end; if omitted, you're limited to
> your "external" IP you communicate with IKE.
The 10.1.0.0/16 subnet was just from the examples. I have added all the
subnets that I want to access via the tunnel but it does not seem to
send any traffic via the tunnel anyway.
One thing I notice is that when I add multiple subnets to rightsubnet
only the last one is shown in statusall and the IPSec policy list.
Also, I added a subnet at the end of the list where I have a machine
that I can see what access it and even if its in the policy and things
"look" ok the traffic is still taking the internet way to that machine
and not via the tunnel.
statusall shows:
child: dynamic === <list of rightsubnet...>
<conn>{1} <left>/32 === <last subnet in rightsubnet>
Do I need to enable IP forwarding maybe?
I've tried adding leftsubnet also for the local network on the client
side but no difference.
conn <conn>
left=%any
leftcert=cert.pem
leftid=user at domain
leftauth=eap
leftfirewall=yes
right=<VPN end point>
rightid="<VPN DN>"
rightauth=pubkey
auto=add
ike=aes128-sha1-modp1024
aaa_identity="<AAA DN>"
rightsubnet=<subnets on other side I want to access,...>
--
Jerry Lundström - Software Engineer
.SE - The Internet Infrastructure Foundation
http://www.iis.se/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 643 bytes
Desc: This is a digitally signed message part
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140428/17f1855e/attachment.pgp>
More information about the Users
mailing list