[strongSwan] Multiple right subnet configuration for ikev1

Prez Cannady revprez at opencorrelate.org
Thu Dec 21 04:05:14 CET 2017 

Not sure if this actually fixed it, and not sure how I reason about it, but I had some success by setting all instances of “auto=start” to “auto=route” save for the last entry.


Prez Cannady  
e: revprez at opencorrelate.org <mailto:revprez at opencorrelate.org>  
h: https://revprez.github.io <https://revprez.github.io/>







> On Dec 20, 2017, at 7:14 PM, Prez Cannady <revprez at opencorrelate.org> wrote:
> 
> Hoping someone can help me out here.
> 
> I’m trying to configure a site-to-site IKEv1 connection to a remote host managed by another firm. I need to be able to route traffic to to two right-side subnets, 10.0.51.0/24 and 10.0.20.0/24.  I’m unable to simply declare 10.0.0.0/16 as the right-side subnet as doing so would conflict with addresses that I need to resolve in our local network.
> 
> However, when activated with this configuration, only the last configured child connection enables (in this case subnet02). Commenting out the subnet02 block enables routing to subnet01. 
> 
> It seems this child connection approach is the proper one for ikev1, but I could be wrong.
> https://lists.strongswan.org/pipermail/users/2012-March/002746.html <https://lists.strongswan.org/pipermail/users/2012-March/002746.html>
> 
> I suspect I’m missing something very simple, but any help would be appreciated.
> 
> Gist available here:
> https://gist.github.com/revprez/b6ae775b02cc2009721d2eadf950cd72 <https://gist.github.com/revprez/b6ae775b02cc2009721d2eadf950cd72>
> 
> conn common
>   authby=psk
>   type=tunnel
>   ike=...
>   ikelifetime=28800s
>   esp=...
>   keylife=3600s
>   keyingtries=%forever
>   keyexchange=ikev1
>   left=%defaultroute
>   leftid=...
>   leftsubnet=...
>   right=...
>   dpddelay=10
>   dpdtimeout=30
>   dpdaction=restart
>   installpolicy=yes
>   auto=start
> 
> conn subnet01
>   also=common
>   rightsubnet=10.0.51.0/24
>   auto=start
> 
> conn subnet02
>   also=common
>   rightsubnet=10.0.20.0/24
>   auto=start
> 
> 
> 
> 
> Prez Cannady  
> e: revprez at opencorrelate.org <mailto:revprez at opencorrelate.org>  
> h: https://revprez.github.io <https://revprez.github.io/>
> 
> 
> 
> 
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171220/10901ae1/attachment-0001.html>

More information about the Users mailing list