[strongSwan] SAs and Split Tunneling
Tobias Koeck
tobias.koeck at gmail.com
Tue May 16 18:36:03 CEST 2017
I use StrongSwan 5.5.1 and checked out a RoadWarrior Scenario with a Linux
Client connecting to a Router. On the Router side there are three SAs with
the nets 192.168.0.0/16,172.16.0.0/12 and 10.0.0.0/8.
The connection with StrongSwan works but it will only register the first
network (192.168.0.0/16) in the iptables routing and in StrongSwan. I want
to register all three networks in the routing as split tunneling and want
to have the rest over the local Internet connection.
I have checked the logs and have read the split tunneling manual but
haven't found the problem so far.
How do I do that? Do I have generate the additional routing manually?
Greetings and thanks
Tobias
ipsec.conf configuration
conn vpn_tko
authby=xauthpsk
keyexchange=ikev1
aggressive=yes
ikelifetime=24h
ike=aes256-sha1-modp2048!
esp=aes256-sha1-modp2084!
lifetime=1h
left=%any
leftid=some at email.blubb.com
leftsourceip=%config
leftauth=psk
leftauth2=xauth
leftfirewall=yes
right=$router_IP
rightid=router
rightsubnet=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
#rightsubnet=%dynamic
rightauth=psk
xauth_identity=vpn_connection
auto=add
ipsec status
Security Associations (1 up, 0 connecting):
vpn_connection[3]: ESTABLISHED 74 seconds ago, 10.0.2.15[
tsome at email.blubb.com]...redacted_router_ip[redacted_router_IP]
vpn_connection{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
c367acb2_i 940c8364_o
vpn_connection{3}: 192.168.11.107/32 === 192.168.0.0/16
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170516/849b2ad5/attachment.html>
More information about the Users
mailing list