[strongSwan] overlapping subnet and roadwarriors
Christopher Brichford
cab00002 at hotmail.com
Thu Jun 9 23:33:52 CEST 2016
Hi,
Is there a solution to the problem of private IPs assigned by public networks ( usually WiFi ) overlapping with the IPs assigned in the tunneled network. The specific problem I’m running into is the public WiFi at SFO ( San Francisco Airport ) assigns IPs to its clients in the 172.31.0.0/16 network and that subnet overlaps with a subset on the other end of the VPN tunnel. I’m using strongswan 5.4 to allow road warriors to tunnel to my AWS network, which the same subnet 172.31.0.0/16. Road warriors are able to connect with the builtin Mac OS X 10.11 client using ikev2, however they are unable to access any resources through the tunnel. I suspect that I need to find a away to tell OS X to send all packets for 172.31.0.0/16 down the tunnel *unless* a packet is an encapsulated ipsec packet ( in which case it should just go out the real network adapter). I looked through the vpn settings documented at https://developer.apple.com/library/mac/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html#//apple_ref/doc/uid/TP40010206-CH1-SW27 and did not see anything useful.
Is this is a problem that needs to be solved on the road warrior clients and can not be fixed my a strongswan configuration change? If this is a problem that needs to be fixed on the road warrior client side, is there a setting in the VPN client to fix this problem?
Thanks in advance for any help!
Chris
Road warrior config from my strongswan gateway:
conn vpn-osx-ikev2-{GROUP}
left={LOCAL_IPV4}
leftcert={LEFT_ID}.pem
leftid=@{LEFT_ID}
leftauth=pubkey
leftsubnet={LEFT_SUBNET}
right=%any
rightsourceip={GROUP_CIDR}
rightid="@@*@{GROUP_OU}"
keyexchange=ikev2
auto=add
dpdaction=clear
dpddelay=300s
rekey=no
forceencaps=yes
ike=aes256gcm16-sha512-ecp521
esp=aes256gcm16-sha512-ecp521
{GROUP}, {LOCAL_IPV4}, etc are replaced at strongswan startup time with environment specific values using python interpolation.
Template mobileconfig:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>DNS</key>
<dict>
<key>SearchDomains</key>
<array>
<string>xxx.internal</string>
<string>compute.internal</string>
<string>amazonaws.com<http://amazonaws.com/></string>
</array>
<key>ServerAddresses</key>
<array>
<string>{VPN_DNS_SERVER}</string>
</array>
<key>SupplementalMatchDomains</key>
<array>
<string>xxx.internal</string>
<string>compute.internal</string>
<string>amazonaws.com<http://amazonaws.com/></string>
</array>
</dict>
<key>IKEv2</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>ChildSecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>21</integer>
<key>EncryptionAlgorithm</key>
<string>AES-256-GCM</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-512</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>DeadPeerDetectionRate</key>
<string>High</string>
<key>DisableMOBIKE</key>
<false/>
<key>DisableRedirect</key>
<false/>
<key>EnableCertificateRevocationCheck</key>
<false/>
<key>EnablePFS</key>
<false/>
<key>ExtendedAuthEnabled</key>
<integer>0</integer>
<key>IKESecurityAssociationParameters</key>
<dict>
<key>DiffieHellmanGroup</key>
<integer>21</integer>
<key>EncryptionAlgorithm</key>
<string>AES-256-GCM</string>
<key>IntegrityAlgorithm</key>
<string>SHA2-512</string>
<key>LifeTimeInMinutes</key>
<integer>1440</integer>
</dict>
<key>LocalIdentifier</key>
<string>{LOCAL_ID}</string>
<key>PayloadCertificateUUID</key>
<string>{USER_CERT_UUID}</string>
<key>RemoteAddress</key>
<string>{VPN_GATEWAY_FQDN}</string>
<key>RemoteIdentifier</key>
<string>{LEFT_ID}</string>
<key>UseConfigurationAttributeInternalIPSubnet</key>
<false/>
<key>ServerCertificateIssuerCommonName</key>
<string>{USER_CERT_ISSUER_CN}</string>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>0</integer>
</dict>
<key>PayloadDescription</key>
<string>Configures VPN settings</string>
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadIdentifier</key>
<string>{VPN_PAYLOAD_ID}</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>{VPN_PAYLOAD_UUID}</string>
<key>PayloadVersion</key>
<real>1</real>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>{VPN_CONNECTION_NAME}</string>
<key>VPNType</key>
<string>IKEv2</string>
<key>VendorConfig</key>
<dict/>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>{VPN_CONNECTION_NAME}</string>
<key>PayloadIdentifier</key>
<string>{PAYLOAD_ID}</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>{PAYLOAD_UUID}</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadOrganization</key>
<string>XXX Inc.</string>
<key>PayloadDescription</key>
<string>IKEv2 VPN Credentials for {LOCAL_ID}</string>
</dict>
</plist>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160609/d4ae8010/attachment-0001.html>
More information about the Users
mailing list