[strongSwan] Promote routes to the VPN client?

Turbo Fredriksson turbo at bayour.com
Thu Oct 27 16:17:22 CEST 2016 

I installed my NAT/IPSEC/GW many, many years ago with OpenSWAN and
"a while" (also probably "many, many years ago" :) ago, I upgraded
that to StrongSWAN.

My config is almost entirely still OpenSWAN, but that seems to be ok..

However, my use-case have slightly changed since that time in the far
away past.

I no longer only have ONE network, I have several..

How do I 'promote' those networks to the other side?

These networks I'd like to 'promote' is:

   10.0.[1-5].0/24
   192.168.69.0/24

The IPSEC network (?) is 192.168.6.0/24, so at the moment I have
to run a script:

----- s n i p -----
set -- $(netstat -rn | egrep '^default.*ppp0')
ip="${2}"

route add -net 10.0.1.0/24 "${ip}"
route add -net 10.0.4.0/24 "${ip}"
route add -net 10.0.5.0/24 "${ip}"
route add -net 192.168.69.0/24 "${ip}"
----- s n i p -----

But is there a way to avoid this, and have this done automagically
when I take up the VPN?

My config on my VPN server:

----- s n i p -----
config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.6.0/24,%v4:!192.168.69.0/24,%v4:!10.0.1.0/24,%v4:!10.0.4.0/24,%v4:!10.0.5.0/24
        interfaces=%defaultroute
        charonstart=yes
        plutostart=yes
        klipsdebug=all
        #plutodebug="control controlmore"
        #plutodebug="control lifecycle klips dns oppo private"
        plutodebug=all
        charondebug=all
----- s n i p -----

I _thought_ that those last '!' entries would do that for me, but apparently
not..

I also get a bunch of "deprecated keywords" when I start up, but I can't
see anywhere that that mattered, so I've just let it be. But since I'm starting
to be quite annoyed about the routing thingie, I could just as well ask about
this as well:

----- s n i p -----
Mar 28 22:29:29 Contego ipsec_starter[6771]: Starting strongSwan 5.2.1 IPsec [starter]...
Mar 28 22:29:29 Contego ipsec_starter[6771]: # deprecated keyword 'charonstart' in config setup
Mar 28 22:29:29 Contego ipsec_starter[6771]: # deprecated keyword 'interfaces' in config setup
Mar 28 22:29:29 Contego ipsec_starter[6771]: # deprecated keyword 'klipsdebug' in config setup
Mar 28 22:29:29 Contego ipsec_starter[6771]: # deprecated keyword 'nat_traversal' in config setup
Mar 28 22:29:29 Contego ipsec_starter[6771]: # deprecated keyword 'plutodebug' in config setup
Mar 28 22:29:29 Contego ipsec_starter[6771]: # deprecated keyword 'plutostart' in config setup
Mar 28 22:29:29 Contego ipsec_starter[6771]: # unknown keyword 'protostack'
Mar 28 22:29:29 Contego ipsec_starter[6771]: # deprecated keyword 'virtual_private' in config setup
----- s n i p -----
-- 
Med ett schysst järnrör slår man hela världen med häpnad
- Sockerconny

More information about the Users mailing list