[strongSwan] Not all routes added

Nagy László Zsolt gandalf at mess.hu
Wed Dec 23 12:21:42 CET 2020 

  Hi,

I have a VPN server on a MikroTik router. I'm trying to connect to it
from strongswan client on Ubuntu 10.04.1 LTS.

This is how I installed strongswan:

apt install strongswan network-manager-strongswan strongswan-nm
libstrongswan-extra-plugins strongswan-swanctl

Then I used the network manager applet (GUI) to add a new VPN
connection. The server uses IKEv2 with server and client side
certificates for authentication.

My problem is that when I connect to the server, only the first route is
added.

For example, if I have this on the server:

|/ip ipsec mode-config add address-pool=vpn.my.server.hu
address-prefix-length=32 name="modeconf vpn.my.server.hu"
split-include=192.168.13.0/24,|||172.111.0.0/16|,10.0.88.0/24 static-dns=10.0.88.1 system-dns=no |

Then I can see this in ip xfrm policy after the VPN server is connected:

|*src 10.0.88.100/32 dst 192.168.13.0/24 * dir out priority 371327 tmpl
src 192.168.14.2 dst 1.2.3.5 proto esp spi 0x0c51282e reqid 4 mode
tunnel *src 192.168.13.0/24 dst 10.0.88.100/32 * dir fwd priority 371327
tmpl src 1.2.3.5 dst 192.168.14.2 proto esp reqid 4 mode tunnel *src
192.168.13.0/24 dst 10.0.88.100/32 * dir in priority 371327 tmpl src
1.2.3.5 dst 192.168.14.2 proto esp reqid 4 mode tunnel |

As you can see, 172.11.0.0/16 was not added. 10.0.88.0/24 was also not
added.

If I change the order of the networks on the server, then the first one
takes precedence. For example this config:

|/ip ipsec mode-config add address-pool=vpn.my.server.hu
address-prefix-length=32 name="modeconf vpn.my.server.hu" split-include=|||172.111.0.0/16|,|||192.168.13.0/24|,10.0.88.0/24 static-dns=10.0.88.1 system-dns=no |

Will add route for 172.111.0.0/16 on the client. But it won't add
192.168.13.0/24 nor 10.0.88.0/24.

The problem is not with the VPN server, because I can connect to it from
Windows 10, and all routes pushed by the server are correctly added to
the routing table.

There must be an option somewhere for this, but I just can't find it.

Thanks,

   Laszlo


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201223/c2ae0496/attachment.html>

More information about the Users mailing list