[strongSwan] SAs and Split Tunneling

Tobias Koeck tobias.koeck at gmail.com
Tue May 16 18:36:03 CEST 2017


I use StrongSwan 5.5.1 and checked out a RoadWarrior Scenario with a Linux
Client connecting to a Router. On the Router side there are three SAs with
the nets 192.168.0.0/16,172.16.0.0/12 and 10.0.0.0/8.

The connection with StrongSwan works but it will only register the first
network (192.168.0.0/16) in the iptables routing and in StrongSwan. I want
to register all three networks in the routing as split tunneling and want
to have the rest over the local Internet connection.

I have checked the logs and have read the split tunneling manual but
haven't found the problem so far.

How do I do that? Do I have generate the additional routing manually?

Greetings and thanks
Tobias

ipsec.conf configuration

conn vpn_tko
        authby=xauthpsk
        keyexchange=ikev1
        aggressive=yes
        ikelifetime=24h
        ike=aes256-sha1-modp2048!
        esp=aes256-sha1-modp2084!
        lifetime=1h
        left=%any
        leftid=some at email.blubb.com
        leftsourceip=%config
        leftauth=psk
        leftauth2=xauth
        leftfirewall=yes
        right=$router_IP
        rightid=router
        rightsubnet=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
        #rightsubnet=%dynamic
        rightauth=psk
        xauth_identity=vpn_connection
        auto=add


ipsec status

Security Associations (1 up, 0 connecting):
     vpn_connection[3]: ESTABLISHED 74 seconds ago, 10.0.2.15[
tsome at email.blubb.com]...redacted_router_ip[redacted_router_IP]
     vpn_connection{3}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
c367acb2_i 940c8364_o
     vpn_connection{3}:   192.168.11.107/32 === 192.168.0.0/16
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170516/849b2ad5/attachment.html>


More information about the Users mailing list