[strongSwan] right/leftsubnet with 0.0.0.0/0 or some specific network

Fri Jun 12 10:54:30 CEST 2015

Hi, all

I configured 4 vmare hosts. The hosts are ubuntu14.04. The gateway moon 
does not forward icmp packets.

The network topology is as below.

10.1.0.10 <---->10.1.0.1 (moon) 192.168.0.1<----->192.168.0.2 (sun) 
10.2.0.1<---->10.2.0.10

strongswan is 5.3.0.

On moon
/usr/local/etc/ipsec.conf is as below:

config setup

conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=3m
     keyingtries=1
     authby=secret
     keyexchange=ikev2
     mobike=no

conn net-net
     left=192.168.0.1
     leftsubnet=10.1.0.0/16      ---->0.0.0.0/0
     leftid=@moon.strongswan.org
     leftfirewall=yes
     right=192.168.0.2
     rightsubnet=10.2.0.0/16     ---->0.0.0.0/0
     rightid=@sun.strongswan.org
     auto=add
/usr/local/etc/ipsec.secrets is as below:

: PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx

On Sun
/usr/local/etc/ipsec.conf is as below:
config setup

conn %default
     ikelifetime=60m
     keylife=20m
     rekeymargin=3m
     keyingtries=1
     authby=secret
     keyexchange=ikev2
     mobike=no

conn net-net
     left=192.168.0.2
     leftsubnet=10.2.0.0/16  ----->0.0.0.0/0
     leftid=@sun.strongswan.org
     leftfirewall=yes
     right=192.168.0.1
     rightsubnet=10.1.0.0/16 ----->0.0.0.0/0
     rightid=@moon.strongswan.org
     auto=add

/usr/local/etc/ipsec.secrets is as below:

: PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx

Others remain unchanged.

In the above ipsec.conf file, if I use right/leftsubnet with 0.0.0.0/0, 
the whole system can not work well.
If I use right/leftsubnet with 10.1 or 2.0.0/16, the whole system can 
work well.

Does any one have the similar experience?

Anyone has idea?

Any reply is appreciated.

Thanks a lot.
Zhu Yanjun