[strongSwan] SAs and Split Tunneling

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue May 16 23:43:38 CEST 2017 

Hello,

This was discussed on IRC already, but to put this into the archives, too, this emil answers the question.

IKEv1 only supports one pair of subnets per SA. strongSwan implicitely removes any additional ones.
Read https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Multiple-subnets-per-SA

Kind regards,
Noel

On 16.05.2017 18:36, Tobias Koeck wrote:
> I use StrongSwan 5.5.1 and checked out a RoadWarrior Scenario with a Linux Client connecting to a Router. On the Router side there are three SAs with the nets 192.168.0.0/16,172.16.0.0/12 <http://192.168.0.0/16,172.16.0.0/12> and 10.0.0.0/8 <http://10.0.0.0/8>.
>
> The connection with StrongSwan works but it will only register the first network (192.168.0.0/16 <http://192.168.0.0/16>) in the iptables routing and in StrongSwan. I want to register all three networks in the routing as split tunneling and want to have the rest over the local Internet connection.
>
> I have checked the logs and have read the split tunneling manual but haven't found the problem so far.
>
> How do I do that? Do I have generate the additional routing manually?
>
> Greetings and thanks
> Tobias
>
> ipsec.conf configuration
>
> conn vpn_tko
>         authby=xauthpsk
>         keyexchange=ikev1
>         aggressive=yes
>         ikelifetime=24h
>         ike=aes256-sha1-modp2048!
>         esp=aes256-sha1-modp2084!
>         lifetime=1h
>         left=%any
>         leftid=some at email.blubb.com <mailto:some at email.blubb.com>
>         leftsourceip=%config
>         leftauth=psk
>         leftauth2=xauth
>         leftfirewall=yes
>         right=$router_IP
>         rightid=router
>         rightsubnet=192.168.0.0/16,172.16.0.0/12,10.0.0.0/8 <http://192.168.0.0/16,172.16.0.0/12,10.0.0.0/8>
>         #rightsubnet=%dynamic
>         rightauth=psk
>         xauth_identity=vpn_connection
>         auto=add
>
>        
> ipsec status
>
> Security Associations (1 up, 0 connecting):
>      vpn_connection[3]: ESTABLISHED 74 seconds ago, 10.0.2.15[tsome at email.blubb.com <mailto:tsome at email.blubb.com>]...redacted_router_ip[redacted_router_IP]
>      vpn_connection{3}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c367acb2_i 940c8364_o
>      vpn_connection{3}:   192.168.11.107/32 <http://192.168.11.107/32> === 192.168.0.0/16 <http://192.168.0.0/16>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170516/e60a6ca5/attachment.sig>

More information about the Users mailing list