[strongSwan] Multiple tunnels between same peer

Sonal sonalmishra192 at gmail.com
Mon Mar 28 13:04:59 CEST 2016


Andreas Steffen <andreas.steffen at ...> writes:

> 
> Hi Arun,
> 
> either define multiple connections:
> 
> conn %default
>         type=tunnel
>         authby=secret
>         left=10.1.1.2
>         leftid=sswan
>         rightid=chamundi
>         right=10.1.1.5
>         esp=3des-md5-9
>         keyexchange=ikev2
>         ike=aes128-sha1-modp1024,3des-sha1-md5-modp1024
> 	auto=add
> 
> conn tunnel1
>         leftsubnet=192.168.10.0/24
>         rightsubnet=172.16.10.0/24
> 
> conn tunnel2
>         leftsubnet=192.168.14.0/24
>         rightsubnet=172.16.12.0/24
> 
> or define multiple traffic selectors:
> 
> conn tunnel
>         type=tunnel
>         authby=secret
>         left=10.1.1.2
>         leftid=sswan
>         rightid=chamundi
>         right=10.1.1.5
>         leftsubnet=192.168.10.0/24,192.168.14.0/24
>         rightsubnet=172.16.10.0/24,172.16.12.0/24
>         esp=3des-md5-9
>         keyexchange=ikev2
>         ike=aes128-sha1-modp1024,3des-sha1-md5-modp1024
>         auto=add
> 
> In the first example 192.168.10/24 is connected to 172.16.10.0/24
> as part of the IKE_AUTH exchange and 192.168.14.0/24 to 172.16.12.0/24
> with an additional CREATE_CHILD_SA exchange whereas in the second
> example the multiple traffic selectors are set up by the IKE_AUTH
> exchange but with the additional side effect that 192.168.10.0/24 will
> be coupled wit 172.16.12.0/24 and 192.168.14.0/24 with 172.16.10.0/24.
> 
> BTW - esp=3des-md5-9 has an invalid syntax. What does -9 mean? A
>       Diffie-Hellman group???
> 
> Best regards
> 
> Andreas
> 
> c
> 
> Arun Raj wrote:
> > Hi Andraw,
> >  
> > I am trying to bring multiple tunnels using PSK between same peers
> > Is this option available in strongswan
> >  
> > The config files I used was as below.
> > Could you please let me know how can we modify the below file to 
setup
> > multiple tunnels between same peers
> >  
> > I search in the net adn I am unable to get these option
> >  
> > # basic configuration
> >  
> > config setup
> >         strictcrlpolicy=no
> >         plutostart=no
> >         charonstart=yes
> >         charondebug=all
> >         klipsdebug=all
> >  
> > 
> > conn tunnel
> >         type=tunnel
> >         authby=secret
> >         left=10.1.1.2
> >         leftid=sswan
> >         rightid=chamundi
> >         right=10.1.1.5
> >         leftsubnet=192.168.10.0/24
> >         rightsubnet=172.16.10.0/24
> >         esp=3des-md5-9
> >         keyexchange=ikev2
> >         pfs=no
> >         ike=aes128-sha1-modp1024,3des-sha1-md5-modp1024
> >         auto=add
> > 
> >  
> > Thanks
> > Arun
> > _______________________________________________
> > Users mailing list
> > Users at ...
> > https://lists.strongswan.org/mailman/listinfo/users





Hi Andreas,

Does the below configuration make sense, where in conn net-net
leftsubnet has two different subnets but the rightsubnet is only a 
single subnet

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	authby=secret
	ike=aes192-sha1-prfaesxcbc-modp1536!
	esp=aes128-sha1!
	keyexchange=ikev2
	mobike=no

conn net-net
	left=172.16.100.1
        #leftcert=hostKey.pem
	leftsubnet=192.168.2.0/24,192.168.3.0/24
	leftid=172.16.100.1
	leftfirewall=yes
	right=172.16.100.2
	rightsubnet=192.168.1.0/24
	rightid=172.16.100.2
	auto=start

I'm sending ping (ICMP packets ) from 192.168.1.0/24 network to 
192.168.2.0/24 and 192.168.3.0/24 networks,but only for 192.168.2.0/24 
the ping is successful and fails for another network.

>






More information about the Users mailing list