[strongSwan] Multiple right subnet configuration for ikev1
Prez Cannady
revprez at opencorrelate.org
Thu Dec 21 01:14:25 CET 2017
Hoping someone can help me out here.
I’m trying to configure a site-to-site IKEv1 connection to a remote host managed by another firm. I need to be able to route traffic to to two right-side subnets, 10.0.51.0/24 and 10.0.20.0/24. I’m unable to simply declare 10.0.0.0/16 as the right-side subnet as doing so would conflict with addresses that I need to resolve in our local network.
However, when activated with this configuration, only the last configured child connection enables (in this case subnet02). Commenting out the subnet02 block enables routing to subnet01.
It seems this child connection approach is the proper one for ikev1, but I could be wrong.
https://lists.strongswan.org/pipermail/users/2012-March/002746.html
I suspect I’m missing something very simple, but any help would be appreciated.
Gist available here:
https://gist.github.com/revprez/b6ae775b02cc2009721d2eadf950cd72
conn common
authby=psk
type=tunnel
ike=...
ikelifetime=28800s
esp=...
keylife=3600s
keyingtries=%forever
keyexchange=ikev1
left=%defaultroute
leftid=...
leftsubnet=...
right=...
dpddelay=10
dpdtimeout=30
dpdaction=restart
installpolicy=yes
auto=start
conn subnet01
also=common
rightsubnet=10.0.51.0/24
auto=start
conn subnet02
also=common
rightsubnet=10.0.20.0/24
auto=start
Prez Cannady
e: revprez at opencorrelate.org <mailto:revprez at opencorrelate.org>
h: https://revprez.github.io <https://revprez.github.io/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171220/91bdebaf/attachment.html>
More information about the Users
mailing list