[strongSwan] Tunnels with dynamic IP and another route issue
dusan at comhem.se
Thu Apr 27 22:38:22 CEST 2017
I would really appreciate some help with below also, Im having a Hard
time understanding how Strongswan chooses connection definitions and
For example, how can I setup an ikev2 psk tunnel between two hosts with
Can I have several ip secrets or connections with %any?
Ive tried with %dyndns but seem to get some errors about constraints and
such. If someone would give me an explanation that would be great!
Den 2017-04-24 kl. 18:48, skrev Dusan Ilic:
> No one?
> Den 2017-04-21 kl. 10:16, skrev Dusan Ilic:
>> I have some issues, please read on.
>> 1. I have one side of the IP-sec tunnel with dynamic IP (associated
>> with a dynamic hostname), I would like not need to change the
>> "left"-parameter in both ipsec.conf and ipsec.secrets whenever the
>> local WAN IP changes, so I have tried putting "left = %any" or "left
>> = %hostname". Now, with %hostname (preferable) it wont connect, but
>> with %any it does connect, sometimes. I can see in the documentation
>> that %any does a local root lookup if the local host is initiating
>> the connection, but only accepting all local IP-adresses if it
>> responds to the remote peer initiation. In my case ths always work
>> when the remote peer is initiating the connection, but if my local
>> end initiates it (ie start=route) it seem to choose the wrong public
>> source IP to connect from.
>> In my case, my local gateway running Strongswan have multiple public
>> interfaces (but only one should be used for IP-sec tunnels), se below
>> route information:
>> nexthop via 90.225.x.x dev vlan845 weight 1
>> nexthop via 10.248.x.x dev ppp0 weight 256
>> nexthop via 85.24.x.x dev vlan847 weight 1
>> nexthop via 46.195.x.x dev ppp1 weight 1
>> My gateway is configured to use 10.248.0.x as "default route"
>> (highest weight/priority), but when Strongswan tried to initiate the
>> tunnel it seems to always default too the last route, 46.195.x.x, and
>> this wont work as the remote peer is expecting 85.24.x.x. Now, is
>> there a way to tell Strongswan to use this IP/interface? I hope
>> "left=%hostname" would work, because the hostname is dynamically
>> ponting to the IP at interface vlan847, but as already stated this
>> isn't working either.
>> Any suggestions?
>> 2. Probably also cause by the above routing setup (wild guess), I
>> also have IKEv2 EAP roadwarrior connectin in Strongswan on the same
>> interface. The Strongswan client on Android connects to my public
>> hostname, and everything works (and in this setup I can have
>> left=%hostname on the server), it's a full tunnel with
>> leftsubnet=0.0.0.0/0. However, all VPN-clients are beeing routed out
>> on this same interface the connect to, so the third route above is
>> being automatically used (vlan847) instead of the second route on
>> ppp0 (with higher weight/priority). Locally connected clients to the
>> gateway all gets routed out on ppp0, but not VPN-clients. Why is
>> this, and what can be done to correct this? The reason for me wanting
>> the VPN clients connecting on vlan847 also routed on the the Internet
>> on ppp0 is simple, ppp0 is a VPN connection from the gateway out to
>> the Internet.
>> I can add that in strongswan.conf I have changed so that all
>> VPN-routes added by Strongswan is done in the standard, main routing
>> table (instead of 220), so technically the VPN-clients should be
>> routed the same as the local clients by the gateway.
More information about the Users