[strongSwan] Promote routes to the VPN client?

Noel Kuntze noel at familie-kuntze.de
Thu Oct 27 17:28:04 CEST 2016 

On 27.10.2016 16:17, Turbo Fredriksson wrote:

> 
> These networks I'd like to 'promote' is:
> 
>    10.0.[1-5].0/24
>    192.168.69.0/24
> 
> The IPSEC network (?) is 192.168.6.0/24, so at the moment I have
> to run a script:
> 
> ----- s n i p -----
> set -- $(netstat -rn | egrep '^default.*ppp0')
> ip="${2}"
> 
> route add -net 10.0.1.0/24 "${ip}"
> route add -net 10.0.4.0/24 "${ip}"
> route add -net 10.0.5.0/24 "${ip}"
> route add -net 192.168.69.0/24 "${ip}"
> ----- s n i p -----
>

Totally useless, because the security policies (SPs) dictate what traffic is protected. How you configure them correctly
depends on the exact circumstance (IKE version, brokenness of the IKE peers involved).
Read throught the introduction[1] and the article about forwarding and split tunneling[2].
Then take a look at the examples[3] I provided in the wiki. They will show you how to configure the scenarios
correctly. If things are unclear, consult the manual (man ipsec.conf), the wiki[4] or go to IRC[5] to get lend a hand.

And please stop using the net-tools (ifconfig, route, brctl, ...). They're deprecated
and have not seen any development since the early 2000s. Use iproute2 (man ip).

> My config on my VPN server:
> 
> ----- s n i p -----
> config setup
>         protostack=netkey
>         nat_traversal=yes
>         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.6.0/24,%v4:!192.168.69.0/24,%v4:!10.0.1.0/24,%v4:!10.0.4.0/24,%v4:!10.0.5.0/24
>         interfaces=%defaultroute
>         charonstart=yes
>         plutostart=yes
>         klipsdebug=all
>         #plutodebug="control controlmore"
>         #plutodebug="control lifecycle klips dns oppo private"
>         plutodebug=all
>         charondebug=all
> ----- s n i p -----

Nuke it all. All those options are without meaning in modern strongSwan (>= 5.0.0).

[1] https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan
[2] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
[3] https://wiki.strongswan.org/projects/strongswan/wiki/SaneExamples
[4] https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation
[5] irc://irc.freenode.net/strongswan

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161027/960f7a9f/attachment.sig>

More information about the Users mailing list