[strongSwan] SAs and Split Tunneling
Dusan Ilic
dusan at comhem.se
Tue May 16 18:58:36 CEST 2017
Ikev1 only support one TS if i recall correctly.
---- Tobias Koeck skrev ----
>I use StrongSwan 5.5.1 and checked out a RoadWarrior Scenario with a Linux
>Client connecting to a Router. On the Router side there are three SAs with
>the nets 192.168.0.0/16,172.16.0.0/12 and 10.0.0.0/8.
>
>The connection with StrongSwan works but it will only register the first
>network (192.168.0.0/16) in the iptables routing and in StrongSwan. I want
>to register all three networks in the routing as split tunneling and want
>to have the rest over the local Internet connection.
>
>I have checked the logs and have read the split tunneling manual but
>haven't found the problem so far.
>
>How do I do that? Do I have generate the additional routing manually?
>
>Greetings and thanks
>Tobias
>
>ipsec.conf configuration
>
>conn vpn_tko
> authby=xauthpsk
> keyexchange=ikev1
> aggressive=yes
> ikelifetime=24h
> ike=aes256-sha1-modp2048!
> esp=aes256-sha1-modp2084!
> lifetime=1h
> left=%any
> leftid=some at email.blubb.com
> leftsourceip=%config
> leftauth=psk
> leftauth2=xauth
> leftfirewall=yes
> right=$router_IP
> rightid=router
> rightsubnet=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8
> #rightsubnet=%dynamic
> rightauth=psk
> xauth_identity=vpn_connection
> auto=add
>
>
>ipsec status
>
>Security Associations (1 up, 0 connecting):
> vpn_connection[3]: ESTABLISHED 74 seconds ago, 10.0.2.15[
>tsome at email.blubb.com]...redacted_router_ip[redacted_router_IP]
> vpn_connection{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
>c367acb2_i 940c8364_o
> vpn_connection{3}: 192.168.11.107/32 === 192.168.0.0/16
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170516/dddec3a8/attachment.html>
More information about the Users
mailing list