[strongSwan] Split Tunnel Not Working
david at fz1.org
Sun Jan 11 05:20:12 CET 2015
thanks for your help. I was able to get it working with the passthrough option. I hadn’t really come across any examples using it so I didn’t think to use it. I still encountered some odd behavior getting it to work but by making sure I put it right after my ‘toserver’ stanza it seems to work. Thanks again,
On Jan 10, 2015, at 6:37 PM, Noel Kuntze <noel at familie-kuntze.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> Hello David,
> You have fallen for a misconception.
> The leftsubnet parameter controls what source addresses in an IP packet are valid for tunneling.
> The rightsubnet parameter controls what destination addresses in an IP packet are valid for tunneling.
> Those two constraints are used to find out what packets should go through the tunnel by checking
> the source and destination and seeing if both match.
> So your configuration tells your client to tunnel any packets whose source is in the subnet 192.168.1.0/24
> and the destination is in the subnet 0.0.0.0/0 (any IP address).
> What you want is a passthrough policy with source and destination being 192.168.1.0/24.
> That policy with narrower subnets will take precedence before the policy that is defined by
> your "toclient" connection definition.
> conn lanbypass
> Split tunneling does not involve "lefthostaccess" or any other such things.
> Split tunneling can be done by two things:
> *Defining your leftsubnet and rightsubnet definitions so they do not cover
> the subnet you want to exclude.
> *Push or locally define such passthrough policies. (Can be done using the attr or attr-sql plugin)
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 11.01.2015 um 01:24 schrieb David Mitchell:
>> I’m trying to set up what should be a simple split tunnel configuration and am having issues. The client is on a NAT subnet so I have leftsubnet=192.168.1.0/24. I want everything except traffic for the LAN to go out the IPsec tunnel so I have rightsubnet=0.0.0.0/0. The tunnel comes up fine but _all_ traffic goes out the tunnel, even traffic destined for 192.168.1.0/24. If I try to ping some other host on the local subnet I can see the ICMP request on the VPN server where it shouldn’t be. The VPN server can (as expected) send an ICMP to a host on the LAN. I’ve tried both with and without lefthostaccess=yes (which I though would basically control split tunneling).
>> Both servers are Debian Wheezy using the Strongswan 4.X packages. I can try the Strongswan 5.X packages from back ports but my impression is that this should work just fine. It’s not a complex configuration so I’m kind of stumped as to why it’s not working. I’m thinking that if I use ‘setkey -DP’ on the client I should see a rule matching 192.168.1.0/24 - 192.168.1.0/24 to keep the local traffic out of the tunnel? Or is there some other method I should be checking? Any advice would be appreciated. Thanks,
>> -David Mitchell
>> On the server:
>> conn toclient
>> # righthostaccess=yes
>> On the client:
>> conn toserver
>> # lefthostaccess=yes
>> Users mailing list
>> Users at lists.strongswan.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> -----END PGP SIGNATURE-----
> Users mailing list
> Users at lists.strongswan.org
More information about the Users