[strongSwan] separate routes for VPN and Internet traffic: can this form of "split tunneling" be configured in ipsec.conf?
Zhuyj
mounter625 at 163.com
Tue Jun 2 05:38:10 CEST 2015
I like this method
发自我的 iPhone
> 在 2015年6月2日,3:15,Alan Tu <8libra at gmail.com> 写道:
>
> Thanks Noel for repeatedly taking a look.
>
> My workaround is to modify routing table 220, changing the default
> route back to the original LAN IP and then explicitly routing the VPN
> subnet over the VPN virtual IP. May not be pretty, but it works.
>
> Alan
>
>
>> On 6/1/15, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hello Alan,
>>
>> Yes, looks like that vendor's implementation is borked.
>>
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>>> Am 01.06.2015 um 21:12 schrieb Alan Tu:
>>> Hi Noel, I have rightsubnet=10.0.0.0/8 and no leftsubnet entry.
>>>
>>> Fresh tested from scratch, pristine VM image, downloaded, compiled and
>>> installed Strongswan. ipsec.conf [1] and syslog [2] are below. We have
>>> an out of band two factor authentication mechanism, which I did
>>> successfully authenticate to.
>>>
>>> Perhaps this VPN software/appliance vendor implementation isn't
>>> compatible with what I want to do? Or at least the way I'm specifying
>>> it in the client configuration.
>>>
>>> Alan
>>>
>>> Notes:
>>> [1]
>>> conn %default
>>> ikelifetime=20
>>> reauth=yes
>>> rekey=yes
>>> keylife=10m
>>> rekeymargin=3m
>>> rekeyfuzz=0%
>>> keyingtries=1
>>> type=tunnel
>>>
>>> conn vpn
>>> keyexchange=ikev1
>>> ikelifetime=1440m
>>> keylife=60m
>>> aggressive=yes
>>> ike=aes-sha1-modp1024
>>> esp=aes-sha1
>>> xauth=client
>>> left=%any
>>> leftid=keyid:[redacted]
>>> leftsourceip=%modeconfig
>>> leftauth=psk
>>> rightauth=psk
>>> leftauth2=xauth
>>> right=[redacted]
>>> rightsubnet=10.0.0.0/8
>>> xauth_identity=[redacted]
>>> auto=add
>>>
>>> conn lan
>>> leftsubnet=172.31.0.0/16
>>> rightsubnet=172.31.0.0/16
>>> authby=never
>>> type=passthrough
>>> auto=route
>>>
>>> [2] syslog
>>> Jun 1 18:53:40 ip-172-31-37-117 charon: 03[CFG] received stroke: initiate
>>> 'vpn'
>>> Jun 1 18:53:40 ip-172-31-37-117 charon: 01[IKE] initiating Aggressive
>>> Mode IKE_SA vpn[1] to [VPN_gateway]
>>> Jun 1 18:53:40 ip-172-31-37-117 charon: 01[ENC] generating AGGRESSIVE
>>> request 0 [ SA KE No ID V V V V ]
>>> Jun 1 18:53:40 ip-172-31-37-117 charon: 01[NET] sending packet: from
>>> 172.31.36.65[500] to [VPN_gateway][500] (384 bytes)
>>> Jun 1 18:53:40 ip-172-31-37-117 charon: 10[NET] received packet: from
>>> [VPN_gateway][500] to 172.31.36.65[500] (396 bytes)
>>> Jun 1 18:53:40 ip-172-31-37-117 charon: 10[ENC] parsed AGGRESSIVE
>>> response 0 [ SA KE No ID HASH V V NAT-D NAT-D V V ]
>>> Jun 1 18:53:40 ip-172-31-37-117 charon: 10[IKE] received XAuth vendor ID
>>> Jun 1 18:53:40 ip-172-31-37-117 charon: 10[IKE] received NAT-T (RFC
>>> 3947) vendor ID
>>> Jun 1 18:53:40 ip-172-31-37-117 charon: 10[IKE] received DPD vendor ID
>>> Jun 1 18:53:40 ip-172-31-37-117 charon: 10[ENC] received unknown
>>> vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
>>> Jun 1 18:53:40 ip-172-31-37-117 charon: 10[IKE] local host is behind
>>> NAT, sending keep alives
>>> Jun 1 18:53:40 ip-172-31-37-117 charon: 10[ENC] generating AGGRESSIVE
>>> request 0 [ NAT-D NAT-D HASH ]
>>> Jun 1 18:53:40 ip-172-31-37-117 charon: 10[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (108 bytes)
>>> Jun 1 18:53:41 ip-172-31-37-117 charon: 11[NET] received packet: from
>>> [VPN_gateway][4500] to 172.31.36.65[4500] (76 bytes)
>>> Jun 1 18:53:41 ip-172-31-37-117 charon: 11[ENC] parsed TRANSACTION
>>> request 783318293 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
>>> Jun 1 18:53:41 ip-172-31-37-117 charon: 11[ENC] generating
>>> TRANSACTION response 783318293 [ HASH CPRP(X_USER X_PWD) ]
>>> Jun 1 18:53:41 ip-172-31-37-117 charon: 11[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (108 bytes)
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 05[NET] received packet: from
>>> [VPN_gateway][4500] to 172.31.36.65[4500] (76 bytes)
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 05[ENC] parsed TRANSACTION
>>> request 703099895 [ HASH CPS(X_STATUS) ]
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 05[IKE] XAuth authentication
>>> of 'user' (myself) successful
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 05[IKE] IKE_SA vpn[1]
>>> established between 172.31.36.65[group]...[VPN_gateway][[VPN_gateway]]
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 05[IKE] scheduling
>>> reauthentication in 86220s
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 05[IKE] maximum IKE_SA lifetime
>>> 86400s
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 05[ENC] generating
>>> TRANSACTION response 703099895 [ HASH CPA(X_STATUS) ]
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 05[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (76 bytes)
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 05[ENC] generating
>>> TRANSACTION request 4226299460 [ HASH CPRQ(ADDR DNS) ]
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 05[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (76 bytes)
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 13[NET] received packet: from
>>> [VPN_gateway][4500] to 172.31.36.65[4500] (92 bytes)
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 13[ENC] parsed TRANSACTION
>>> response 4226299460 [ HASH CPRP(ADDR DNS DNS) ]
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 13[IKE] installing DNS server
>>> 10.100.15.5 via resolvconf
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 13[IKE] installing DNS server
>>> 10.100.24.250 via resolvconf
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 13[IKE] installing new
>>> virtual IP 10.100.4.5
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 13[ENC] generating QUICK_MODE
>>> request 675444149 [ HASH SA No ID ID ]
>>> Jun 1 18:53:49 ip-172-31-37-117 charon: 13[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (204 bytes)
>>> Jun 1 18:53:53 ip-172-31-37-117 charon: 02[IKE] sending retransmit 1
>>> of request message ID 675444149, seq 4
>>> Jun 1 18:53:53 ip-172-31-37-117 charon: 02[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (204 bytes)
>>> Jun 1 18:54:01 ip-172-31-37-117 charon: 10[IKE] sending retransmit 2
>>> of request message ID 675444149, seq 4
>>> Jun 1 18:54:01 ip-172-31-37-117 charon: 10[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (204 bytes)
>>> Jun 1 18:54:14 ip-172-31-37-117 charon: 05[IKE] sending retransmit 3
>>> of request message ID 675444149, seq 4
>>> Jun 1 18:54:14 ip-172-31-37-117 charon: 05[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (204 bytes)
>>> Jun 1 18:54:33 ip-172-31-37-117 charon: 15[IKE] sending keep alive to
>>> [VPN_gateway][4500]
>>> Jun 1 18:54:37 ip-172-31-37-117 charon: 13[IKE] sending retransmit 4
>>> of request message ID 675444149, seq 4
>>> Jun 1 18:54:37 ip-172-31-37-117 charon: 13[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (204 bytes)
>>> Jun 1 18:54:56 ip-172-31-37-117 charon: 16[IKE] sending keep alive to
>>> [VPN_gateway][4500]
>>> Jun 1 18:55:16 ip-172-31-37-117 charon: 02[IKE] sending keep alive to
>>> [VPN_gateway][4500]
>>> Jun 1 18:55:19 ip-172-31-37-117 charon: 01[IKE] sending retransmit 5
>>> of request message ID 675444149, seq 4
>>> Jun 1 18:55:19 ip-172-31-37-117 charon: 01[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (204 bytes)
>>> Jun 1 18:55:38 ip-172-31-37-117 charon: 11[IKE] sending keep alive to
>>> [VPN_gateway][4500]
>>> Jun 1 18:55:58 ip-172-31-37-117 charon: 12[IKE] sending keep alive to
>>> [VPN_gateway][4500]
>>> Jun 1 18:56:18 ip-172-31-37-117 charon: 05[IKE] sending keep alive to
>>> [VPN_gateway][4500]
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 14[KNL] creating delete job
>>> for CHILD_SA ESP/0xc6eb89db/172.31.36.65
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 14[JOB] CHILD_SA
>>> ESP/0xc6eb89db/172.31.36.65 not found for delete
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 13[IKE] giving up after 5
>>> retransmits
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 13[IKE] installing new
>>> virtual IP 10.100.4.5
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 13[IKE] initiating Aggressive
>>> Mode IKE_SA vpn[2] to [VPN_gateway]
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 13[ENC] generating AGGRESSIVE
>>> request 0 [ SA KE No ID V V V V ]
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 13[NET] sending packet: from
>>> 172.31.36.65[500] to [VPN_gateway][500] (384 bytes)
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 04[NET] received packet: from
>>> [VPN_gateway][500] to 172.31.36.65[500] (396 bytes)
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 04[ENC] parsed AGGRESSIVE
>>> response 0 [ SA KE No ID HASH V V NAT-D NAT-D V V ]
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 04[IKE] received XAuth vendor ID
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 04[IKE] received NAT-T (RFC
>>> 3947) vendor ID
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 04[IKE] received DPD vendor ID
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 04[ENC] received unknown
>>> vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 04[IKE] local host is behind
>>> NAT, sending keep alives
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 04[ENC] generating AGGRESSIVE
>>> request 0 [ NAT-D NAT-D HASH ]
>>> Jun 1 18:56:34 ip-172-31-37-117 charon: 04[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (108 bytes)
>>> Jun 1 18:56:35 ip-172-31-37-117 charon: 16[NET] received packet: from
>>> [VPN_gateway][4500] to 172.31.36.65[4500] (76 bytes)
>>> Jun 1 18:56:35 ip-172-31-37-117 charon: 16[ENC] parsed TRANSACTION
>>> request 260202080 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
>>> Jun 1 18:56:35 ip-172-31-37-117 charon: 16[ENC] generating
>>> TRANSACTION response 260202080 [ HASH CPRP(X_USER X_PWD) ]
>>> Jun 1 18:56:35 ip-172-31-37-117 charon: 16[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (108 bytes)
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 10[NET] received packet: from
>>> [VPN_gateway][4500] to 172.31.36.65[4500] (76 bytes)
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 10[ENC] parsed TRANSACTION
>>> request 1809935207 [ HASH CPS(X_STATUS) ]
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 10[IKE] XAuth authentication
>>> of 'user' (myself) successful
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 10[IKE] IKE_SA vpn[2]
>>> established between 172.31.36.65[group]...[VPN_gateway][[VPN_gateway]]
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 10[IKE] scheduling
>>> reauthentication in 86220s
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 10[IKE] maximum IKE_SA lifetime
>>> 86400s
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 10[ENC] generating
>>> TRANSACTION response 1809935207 [ HASH CPA(X_STATUS) ]
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 10[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (76 bytes)
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 10[ENC] generating
>>> TRANSACTION request 150801322 [ HASH CPRQ(ADDR DNS) ]
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 10[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (76 bytes)
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 11[NET] received packet: from
>>> [VPN_gateway][4500] to 172.31.36.65[4500] (92 bytes)
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 11[ENC] parsed TRANSACTION
>>> response 150801322 [ HASH CPRP(ADDR DNS DNS) ]
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 11[IKE] installing DNS server
>>> 10.100.15.5 via resolvconf
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 11[IKE] installing DNS server
>>> 10.100.24.250 via resolvconf
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 11[IKE] installing new
>>> virtual IP 10.100.4.2
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 11[ENC] generating QUICK_MODE
>>> request 1932673650 [ HASH SA No ID ID ]
>>> Jun 1 18:56:45 ip-172-31-37-117 charon: 11[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (204 bytes)
>>> Jun 1 18:56:49 ip-172-31-37-117 charon: 16[IKE] sending retransmit 1
>>> of request message ID 1932673650, seq 4
>>> Jun 1 18:56:49 ip-172-31-37-117 charo
More information about the Users
mailing list