[strongSwan] Tunnels with dynamic IP and another route issue

Dusan Ilic dusan at comhem.se
Fri Apr 21 10:16:03 CEST 2017 

Hi!

I have some issues, please read on.

1. I have one side of the IP-sec tunnel with dynamic IP (associated with 
a dynamic hostname), I would like not need to change the 
"left"-parameter in both ipsec.conf and ipsec.secrets whenever the local 
WAN IP changes, so I have tried putting "left = %any" or "left = 
%hostname". Now, with %hostname (preferable) it wont connect, but with 
%any it does connect, sometimes. I can see in the documentation that 
%any does a local root lookup if the local host is initiating the 
connection, but only accepting all local IP-adresses if it responds to 
the remote peer initiation. In my case ths always work when the remote 
peer is initiating the connection, but if my local end initiates it (ie 
start=route) it seem to choose the wrong public source IP to connect from.
In my case, my local gateway running Strongswan have multiple public 
interfaces (but only one should be used for IP-sec tunnels), se below 
route information:

default
         nexthop via 90.225.x.x  dev vlan845 weight 1
         nexthop via 10.248.x.x  dev ppp0 weight 256
         nexthop via 85.24.x.x  dev vlan847 weight 1
         nexthop via 46.195.x.x  dev ppp1 weight 1

My gateway is configured to use 10.248.0.x as "default route" (highest 
weight/priority), but when Strongswan tried to initiate the tunnel it 
seems to always default too the last route, 46.195.x.x, and this wont 
work as the remote peer is expecting 85.24.x.x. Now, is there a way to 
tell Strongswan to use this IP/interface? I hope "left=%hostname" would 
work, because the hostname is dynamically ponting to the IP at interface 
vlan847, but as already stated this isn't working either.

Any suggestions?

2. Probably also cause by the above routing setup (wild guess), I also 
have IKEv2 EAP roadwarrior connectin in Strongswan on the same 
interface. The Strongswan client on Android connects to my public 
hostname, and everything works (and in this setup I can have 
left=%hostname on the server), it's a full tunnel with 
leftsubnet=0.0.0.0/0. However, all VPN-clients are beeing routed out on 
this same interface the connect to, so the third route above is being 
automatically used (vlan847) instead of the second route on ppp0 (with 
higher weight/priority). Locally connected clients to the gateway all 
gets routed out on ppp0, but not VPN-clients. Why is this, and what can 
be done to correct this? The reason for me wanting the VPN clients 
connecting on vlan847 also routed on the the Internet on ppp0 is simple, 
ppp0 is a VPN connection from the gateway out to the Internet.

I can add that in strongswan.conf I have changed so that all VPN-routes 
added by Strongswan is done in the standard, main routing table (instead 
of 220), so technically the VPN-clients should be routed the same as the 
local clients by the gateway.

More information about the Users mailing list