[strongSwan] Strongswan. Address definition/Routing.
Aleksey Kravchenko
gmkrab at gmail.com
Fri Sep 29 14:56:34 CEST 2017
On Windows client i will add static route and Set-VpnConnection -Name "VPN"
-SplitTunneling 1 -AllUserConnection. All works fine.
My server configuration file:
config setup
uniqueids = no
conn %default
esp = aes-aes256-sha-modp1024,aes256-sha512-modp4096
ike = aes-aes256-sha-modp1024,aes256-sha512-modp4096
dpdaction = clear
dpddelay = 35s
dpdtimeout = 2000s
fragmentation = yes
rekey = no
left = %any
leftfirewall = yes
leftcert = fullchain.pem
leftsendcert = always
right = %any
rightsourceip = 192.168.103.0/24
rightdns = 8.8.8.8,8.8.4.4
eap_identity = %any
conn IPSec-IKEv2
keyexchange = ikev2
auto = add
conn IPSec-IKEv2-EAP
also = "IPSec-IKEv2"
rightauth = eap-radius
leftid = DOMAIN.LTD (on my second white IP)
auto = add
leftsubnet=IP/32
conn IKEv2-MSCHAPv2-Apple
also = "IPSec-IKEv2"
ike =
aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!
esp = aes256-sha256,3des-sha1,aes256-sha1!
rightauth=eap-radius
leftid = DOMAIN.LTD
leftsubnet=IP/32
2017-09-29 13:38 GMT+03:00 Noel Kuntze <
noel.kuntze+strongswan-users-ml at thermi.consulting>:
> If I could aware a star for disinformation, this one would get it.
>
> 1) The article about interoperability with Windows explains how to get
> routes working for crappy Windows clients.
> 2) As Anvar explained, leftsubnet sets the local traffic selector, which
> defines which destinations are allowed by the IPsec policies. Set
> leftsubnet=0.0.0.0/0.
> 3) You can not only allow certain protocols through the tunnel without
> blackholing all other protocols, if the sender uses route basec IPsec.
> 4) You likely use libipsec. Stop doing that, it sucks. It is likely the
> cause of Android and other clients working, but not Windows with your wrong
> configuration, if you tested Android and other clients with
> leftsubnet=[IP]/32.
>
> Kind regards
>
> Noel
>
> On 29.09.2017 12:23, Anvar Kuchkartaev wrote:
> > I don't think the windows is able to obtain routes from IKE vpn server.
> Windows must be using 0.0.0.0/0 route to your VPN server and sending all
> traffic to it but if you configured left=[IP]/32 from VPN server side then
> all other traffic than that IP not authorised to pass through tunnel. I
> don't know how to configure VPN routes in windows and I would rather
> recommended to configure router standing between windows and internet and
> share the tunnel of router with other devices connected to it.
> >
> > Anvar Kuchkartaev
> > anvar at anvartay.com
> > *From: *Aleksey Kravchenko
> > *Sent: *viernes, 29 de septiembre de 2017 12:08 p.m.
> > *To: *Noel Kuntze; users at lists.strongswan.org
> > *Subject: *Re: [strongSwan] Strongswan. Address definition/Routing.
> >
> >
> > Hello again! I need your help.
> >
> > The problem is that the traffic through VPN is sent only when accessing
> one specific IP. I pointed this IP to leftsubnet = IP / 32 and everything
> works well for linux, macos, android, ios. But Windows in this case does
> not see the Internet and only the address specified in leftsubnet is
> available to it.
> >
> > And is it still possible to specify specific ports? For example, you can
> only take http and https through VPN. The protoport option did not help.
> > Thank you in advance!
> >
> > 2017-09-25 16:10 GMT+03:00 Aleksey Kravchenko <gmkrab at gmail.com <mailto:
> gmkrab at gmail.com>>:
> >
> > Good.
> > Thank you, Noel.
> >
> > 2017-09-25 16:08 GMT+03:00 Noel Kuntze <noel.kuntze+strongswan-users-
> ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.
> consulting>>:
> >
> > Hi,
> >
> > No. As I previously wrote, this is a system intrinsic problem.
> >
> > Kind regards
> >
> > Noel
> >
> > On 25.09.2017 15:03, Aleksey Kravchenko wrote:
> > > Hello. I managed to solve the problem with routes on windows
> and macos. For this purpose, a second white IP was used.
> > > p.s. Are there any ways or tricks to solve this problem with
> the same IP address?
> > >
> > > 2017-09-14 11:03 GMT+03:00 Aleksey Kravchenko <
> gmkrab at gmail.com <mailto:gmkrab at gmail.com> <mailto:gmkrab at gmail.com
> <mailto:gmkrab at gmail.com>>>:
> > >
> > > Hello, Noel. Thanks for the answer. Unfortunately, there
> is no way to bypass.As a solution we can use the second white IP for
> Strongswan, and the web server on the 1st IP.
> > >
> > > 2017-09-13 22:17 GMT+03:00 Noel Kuntze
> <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+
> strongswan-users-ml at thermi.consulting <mailto:noel.kuntze%
> 2Bstrongswan-users-ml at thermi.consulting>>>:
> > >
> > > Hi,
> > >
> > > That is because Windows and MacOS implement crappy
> route based IPsec which conceptually can not protect traffic to the IKE
> peer's
> > > address (unless policy based routing is used, which
> neither Windows nor MacOS implement).
> > >
> > > Kind regards
> > >
> > > Noel
> > >
> > > On 13.09.2017 17:14, Aleksey Kravchenko wrote:
> > > > Hello.I need your advice.
> > > > The work of Strongswan + IKEv2 is configured.
> Everything works fine (on iOS, macOS, windows, linux), but I noticed
> strange behavior in VPN's work. There is a server on which Strongswan and
> Nginx are installed.When you connect to the VPN and go to the site which is
> located in the same place as the strongswan daemon, the nginx log shows
> different addresses for connections. For instance:android / linux -> login
> from the address issued by the VPN (for example, 192.168.1.2).
> > > > windows / macos -> login from the usual address
> (provider address).
> > > > But if you go to the IP detection server, the result
> for all devices is the same: you logged in from the VPN server.Maybe you
> have any thoughts about this? Thank you!
> > >
> > >
> > >
> >
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170929/49ee5a4e/attachment-0001.html>
More information about the Users
mailing list