[strongSwan] Tunnels with dynamic IP and another route issue

Dusan Ilic dusan at comhem.se
Sat May 6 20:38:19 CEST 2017 

There is nothing in the logs, i'm downing the tunnel then starting a 
ping from a client to get it up while tailing the log file on the 
gateway. Nothing related to that tunnel are shown at all...

The only tunnel that goes up by traffic is the tunnel with rightsubnet 
0.0.0.0. When I disable that tunnel, the other tunnels start to work. 
With the 0.0.0.0 tunnel up, I have to manually up the tunnel or wait for 
the peer to initiate the connection.

Below you have my complete config

config setup
         uniqueids = never

conn %default
         auto=route
         keyexchange=ikev2
         type=tunnel
         dpdaction=restart
         leftauth=psk
         rightauth=psk
         left=%any
         leftsubnet=10.1.1.0/26

# - - - - - - - - - - - -
# Passthrough connections
# - - - - - - - - - - - -

conn lan
         authby=never
         type=passthrough
         left=127.0.0.1
         leftsubnet=10.1.1.0/26
         right=127.0.0.1
         rightsubnet=10.1.1.0/26,10.1.2.0/26,255.255.255.255/32

conn lan2
         also=lan
         leftsubnet=10.1.2.0/26
         rightsubnet=10.1.2.0/26

conn iptv
         also=lan
         leftsubnet=10.1.1.0/26
rightsubnet=90.225.194.0/24,194.236.188.130/32,194.22.194.0/24

conn integrity
         also=lan
         leftsubnet=10.1.1.1/32
         rightsubnet=94.254.51.231/32

# - - - - - - - - - - - -
#     Site to Site
# - - - - - - - - - - - -

conn wesafe
         keylife=10800s
         ikelifetime=28800s
         ike=aes128-sha1-modp2048
         esp=aes128-sha1
         right=%example.com
         rightid=example.com
         rightsubnet=192.168.1.0/24

conn test
         keylife=3600s
         ikelifetime=28800s
         ike=aes128-sha1-modp1024!
         esp=aes128-sha1-modp1024!
         right=%example.com
         rightid=example.com
         rightsubnet=0.0.0.0/0

conn azure
         keylife=27000s
         ikelifetime=28800s
         ike=aes128-sha1-modp1024
         esp=aes128-sha1
         right=x.x.x.x
         rightsubnet=10.0.1.0/24

# - - - - - - - - - - - -
#     Remote Access
# - - - - - - - - - - - -


conn vpn
         auto=add
         dpdaction=clear
         dpddelay=300s
         mobike=yes

         leftid=example.com
         leftsubnet=0.0.0.0/0
         leftauth=pubkey

         right=%any
         rightsubnet=%dynamic
         rightsourceip=%dhcp
         rightauth=eap-mschapv2

         eap_identity=%any

Den 2017-05-06 kl. 17:49, skrev Noel Kuntze:
> On 06.05.2017 14:29, Dusan Ilic wrote:
>> Sorry to say I didnt follow you completely, what do you mean? Dont disabling route installation effectively mean that im forced to setup the same with updown-scriprs?
>> Also, whats the difference setting a fwmark with netlink plugin? What behaviour changes?
> No, in you case, you don't need any extra routes. Just disable it. With the fwmark set, charon can exclude routing table 220 when doing route lookups.
>
>> One observation, it looks like ignoring routing tables doesnt work. Ive tried ignoring every single one and still charon is able to initiatie, how is this possible?
> Dunno.
>
>> Also, when having a 0.0.0.0 tunnel all other tunnels wont go up on traffic if start=route is set. Any idea why?
>>
> Dunno. Provide your configuration and logs.
>

More information about the Users mailing list