[strongSwan] Strongswan. Address definition/Routing.

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Sep 29 15:05:11 CEST 2017


As was previously mentioned, you need to set leftsubnet=0.0.0.0/0 to have access to any other IP but your local one.

On 29.09.2017 14:56, Aleksey Kravchenko wrote:
> On Windows client i will add static route and Set-VpnConnection -Name "VPN" -SplitTunneling 1 -AllUserConnection. All works fine.
> 
> My server configuration file:
> 
> config setup                                                                     
>          uniqueids = no                                                          
> conn %default                                                                    
>         esp = aes-aes256-sha-modp1024,aes256-sha512-modp4096                     
>         ike = aes-aes256-sha-modp1024,aes256-sha512-modp4096                     
>                                                                                  
>         dpdaction = clear                                                        
>         dpddelay = 35s                                                           
>         dpdtimeout = 2000s                                                       
>         fragmentation = yes                                                      
>         rekey = no                                                               
>                                                                                  
>         left = %any                                                              
>         leftfirewall = yes                                                       
>         leftcert = fullchain.pem                                                 
>         leftsendcert = always                                                    
>                                                                                  
>         right = %any                                                             
>         rightsourceip = 192.168.103.0/24 <http://192.168.103.0/24>                                         
>         rightdns = 8.8.8.8,8.8.4.4                                               
>         eap_identity = %any                                                      
>                                                                                  
> conn IPSec-IKEv2                                                                 
>         keyexchange = ikev2                                                      
>         auto = add                                                               
>                                                                                  
> conn IPSec-IKEv2-EAP                                                             
>         also = "IPSec-IKEv2"                                                     
>         rightauth = eap-radius                                                   
>         leftid = DOMAIN.LTD (on my second white IP)                                                     
>         auto = add                                                               
>         leftsubnet=IP/32                                                         
>                                                                                  
> conn IKEv2-MSCHAPv2-Apple                                                        
>         also = "IPSec-IKEv2"                                                     
>         ike = aes256-sha256-modp1024,3des-sha1-modp1024,aes256-sha1-modp1024!    
>         esp = aes256-sha256,3des-sha1,aes256-sha1!                               
>         rightauth=eap-radius                                                     
>         leftid = DOMAIN.LTD                                                      
>         leftsubnet=IP/32                                                         
> 
> 
> 
> 2017-09-29 13:38 GMT+03:00 Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.consulting>>:
> 
>     If I could aware a star for disinformation, this one would get it.
> 
>     1) The article about interoperability with Windows explains how to get routes working for crappy Windows clients.
>     2) As Anvar explained, leftsubnet sets the local traffic selector, which defines which destinations are allowed by the IPsec policies. Set leftsubnet=0.0.0.0/0 <http://0.0.0.0/0>.
>     3) You can not only allow certain protocols through the tunnel without blackholing all other protocols, if the sender uses route basec IPsec.
>     4) You likely use libipsec. Stop doing that, it sucks. It is likely the cause of Android and other clients working, but not Windows with your wrong configuration, if you tested Android and other clients with leftsubnet=[IP]/32.
> 
>     Kind regards
> 
>     Noel
> 
>     On 29.09.2017 12:23, Anvar Kuchkartaev wrote:
>     > ‎I don't think the windows is able to obtain routes from IKE vpn server. Windows must be using 0.0.0.0/0 <http://0.0.0.0/0> route to your VPN server and sending all traffic to it but if you configured left=[IP]/32 from VPN server side then all other traffic than that IP not authorised to pass through tunnel. I don't know how to configure VPN routes in windows and I would rather recommended to configure router standing between windows and internet and share the tunnel of router with other devices connected to it.
>     >
>     > Anvar Kuchkartaev 
>     > anvar at anvartay.com <mailto:anvar at anvartay.com>     > *From: *Aleksey Kravchenko
>     > *Sent: *viernes, 29 de septiembre de 2017 12:08 p.m.
>     > *To: *Noel Kuntze; users at lists.strongswan.org <mailto:users at lists.strongswan.org>
>     > *Subject: *Re: [strongSwan] Strongswan. Address definition/Routing.
>     >
>     >
>     > Hello again! I need your help.
>     >
>     > The problem is that the traffic through VPN is sent only when accessing one specific IP. I pointed this IP to leftsubnet = IP / 32 and everything works well for linux, macos, android, ios. But Windows in this case does not see the Internet and only the address specified in leftsubnet is available to it.
>     >
>     > And is it still possible to specify specific ports? For example, you can only take http and https through VPN. The protoport option did not help.
>     > Thank you in advance!
>     >
>     > 2017-09-25 16:10 GMT+03:00 Aleksey Kravchenko <gmkrab at gmail.com <mailto:gmkrab at gmail.com> <mailto:gmkrab at gmail.com <mailto:gmkrab at gmail.com>>>:
>     >
>     >     Good.
>     >     Thank you, Noel.
>     >
>     >     2017-09-25 16:08 GMT+03:00 Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze%2Bstrongswan-users-ml at thermi.consulting>>>:
>     >
>     >         Hi,
>     >
>     >         No. As I previously wrote, this is a system intrinsic problem.
>     >
>     >         Kind regards
>     >
>     >         Noel
>     >
>     >         On 25.09.2017 15:03, Aleksey Kravchenko wrote:
>     >         > Hello. I managed to solve the problem with routes on windows and macos. For this purpose, a second white IP was used.
>     >         > p.s. Are there any ways or tricks to solve this problem with the same IP address?
>     >         >
>     >         > 2017-09-14 11:03 GMT+03:00 Aleksey Kravchenko <gmkrab at gmail.com <mailto:gmkrab at gmail.com> <mailto:gmkrab at gmail.com <mailto:gmkrab at gmail.com>> <mailto:gmkrab at gmail.com <mailto:gmkrab at gmail.com> <mailto:gmkrab at gmail.com <mailto:gmkrab at gmail.com>>>>:
>     >         >
>     >         >     Hello, Noel. Thanks for the answer. Unfortunately, there is no way to bypass.As a solution we can use the second white IP for Strongswan, and the web server on the 1st IP.
>     >         >
>     >         >     2017-09-13 22:17 GMT+03:00 Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze+strongswan-users-ml at thermi.consulting <mailto:noel.kuntze%2Bstrongswan-users-ml at thermi.consulting> <mailto:noel.kuntze%2Bstrongswan-users-ml at thermi.consulting <mailto:noel.kuntze%252Bstrongswan-users-ml at thermi.consulting>>>>:
>     >         >
>     >         >         Hi,
>     >         >
>     >         >         That is because Windows and MacOS implement crappy route based IPsec which conceptually can not protect traffic to the IKE peer's
>     >         >         address (unless policy based routing is used, which neither Windows nor MacOS implement).
>     >         >
>     >         >         Kind regards
>     >         >
>     >         >         Noel
>     >         >
>     >         >         On 13.09.2017 17:14, Aleksey Kravchenko wrote:
>     >         >         > Hello.I need your advice.
>     >         >         > The work of Strongswan + IKEv2 is configured. Everything works fine (on iOS, macOS, windows, linux), but I noticed strange behavior in VPN's work. There is a server on which Strongswan and Nginx are installed.When you connect to the VPN and go to the site which is located in the same place as the strongswan daemon, the nginx log shows different addresses for connections. For instance:android / linux -> login from the address issued by the VPN  (for example, 192.168.1.2).
>     >         >         > windows / macos -> login from the usual address (provider address).
>     >         >         > But if you go to the IP detection server, the result for all devices is the same: you logged in from the VPN server.Maybe you have any thoughts about this? Thank you!
>     >         >
>     >         >
>     >         >
>     >
>     >
>     >
>     >
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170929/bd5f197b/attachment.sig>


More information about the Users mailing list