[strongSwan] Tunnels with dynamic IP and another route issue

Dusan Ilic dusan at comhem.se
Thu Apr 27 22:38:22 CEST 2017

I would really appreciate some help with below also, Im having a Hard 
time understanding how Strongswan chooses connection definitions and 
ipsec secrets.

For example, how can I setup an ikev2 psk tunnel between two hosts with 
dynamic dns?
Can I have several ip secrets or connections with %any?

Ive tried with %dyndns but seem to get some errors about constraints and 
such. If someone would give me an explanation that would be great!

Den 2017-04-24 kl. 18:48, skrev Dusan Ilic:
> No one?
> Den 2017-04-21 kl. 10:16, skrev Dusan Ilic:
>> Hi!
>> I have some issues, please read on.
>> 1. I have one side of the IP-sec tunnel with dynamic IP (associated 
>> with a dynamic hostname), I would like not need to change the 
>> "left"-parameter in both ipsec.conf and ipsec.secrets whenever the 
>> local WAN IP changes, so I have tried putting "left = %any" or "left 
>> = %hostname". Now, with %hostname (preferable) it wont connect, but 
>> with %any it does connect, sometimes. I can see in the documentation 
>> that %any does a local root lookup if the local host is initiating 
>> the connection, but only accepting all local IP-adresses if it 
>> responds to the remote peer initiation. In my case ths always work 
>> when the remote peer is initiating the connection, but if my local 
>> end initiates it (ie start=route) it seem to choose the wrong public 
>> source IP to connect from.
>> In my case, my local gateway running Strongswan have multiple public 
>> interfaces (but only one should be used for IP-sec tunnels), se below 
>> route information:
>> default
>>         nexthop via 90.225.x.x  dev vlan845 weight 1
>>         nexthop via 10.248.x.x  dev ppp0 weight 256
>>         nexthop via 85.24.x.x  dev vlan847 weight 1
>>         nexthop via 46.195.x.x  dev ppp1 weight 1
>> My gateway is configured to use 10.248.0.x as "default route" 
>> (highest weight/priority), but when Strongswan tried to initiate the 
>> tunnel it seems to always default too the last route, 46.195.x.x, and 
>> this wont work as the remote peer is expecting 85.24.x.x. Now, is 
>> there a way to tell Strongswan to use this IP/interface? I hope 
>> "left=%hostname" would work, because the hostname is dynamically 
>> ponting to the IP at interface vlan847, but as already stated this 
>> isn't working either.
>> Any suggestions?
>> 2. Probably also cause by the above routing setup (wild guess), I 
>> also have IKEv2 EAP roadwarrior connectin in Strongswan on the same 
>> interface. The Strongswan client on Android connects to my public 
>> hostname, and everything works (and in this setup I can have 
>> left=%hostname on the server), it's a full tunnel with 
>> leftsubnet= However, all VPN-clients are beeing routed out 
>> on this same interface the connect to, so the third route above is 
>> being automatically used (vlan847) instead of the second route on 
>> ppp0 (with higher weight/priority). Locally connected clients to the 
>> gateway all gets routed out on ppp0, but not VPN-clients. Why is 
>> this, and what can be done to correct this? The reason for me wanting 
>> the VPN clients connecting on vlan847 also routed on the the Internet 
>> on ppp0 is simple, ppp0 is a VPN connection from the gateway out to 
>> the Internet.
>> I can add that in strongswan.conf I have changed so that all 
>> VPN-routes added by Strongswan is done in the standard, main routing 
>> table (instead of 220), so technically the VPN-clients should be 
>> routed the same as the local clients by the gateway.

More information about the Users mailing list