[strongSwan] Multiple right subnet configuration for ikev1

Prez Cannady revprez at opencorrelate.org
Thu Dec 21 01:14:25 CET 2017


Hoping someone can help me out here.

I’m trying to configure a site-to-site IKEv1 connection to a remote host managed by another firm. I need to be able to route traffic to to two right-side subnets, 10.0.51.0/24 and 10.0.20.0/24.  I’m unable to simply declare 10.0.0.0/16 as the right-side subnet as doing so would conflict with addresses that I need to resolve in our local network.

However, when activated with this configuration, only the last configured child connection enables (in this case subnet02). Commenting out the subnet02 block enables routing to subnet01. 

It seems this child connection approach is the proper one for ikev1, but I could be wrong.
https://lists.strongswan.org/pipermail/users/2012-March/002746.html

I suspect I’m missing something very simple, but any help would be appreciated.

Gist available here:
https://gist.github.com/revprez/b6ae775b02cc2009721d2eadf950cd72

conn common
  authby=psk
  type=tunnel
  ike=...
  ikelifetime=28800s
  esp=...
  keylife=3600s
  keyingtries=%forever
  keyexchange=ikev1
  left=%defaultroute
  leftid=...
  leftsubnet=...
  right=...
  dpddelay=10
  dpdtimeout=30
  dpdaction=restart
  installpolicy=yes
  auto=start

conn subnet01
  also=common
  rightsubnet=10.0.51.0/24
  auto=start

conn subnet02
  also=common
  rightsubnet=10.0.20.0/24
  auto=start




Prez Cannady  
e: revprez at opencorrelate.org <mailto:revprez at opencorrelate.org>  
h: https://revprez.github.io <https://revprez.github.io/>







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171220/91bdebaf/attachment.html>


More information about the Users mailing list