[strongSwan] Not all routes added
gandalf at mess.hu
gandalf at mess.hu
Fri Dec 25 15:15:57 CET 2020
> If I change the order of the networks on the server, then the first
> one takes precedence. For example this config:
>
> |/ip ipsec mode-config add address-pool=vpn.my.server.hu
> address-prefix-length=32 name="modeconf vpn.my.server.hu" split-include=|||172.111.0.0/16|,|||192.168.13.0/24|,10.0.88.0/24 static-dns=10.0.88.1 system-dns=no |
>
> Will add route for 172.111.0.0/16 on the client. But it won't add
> 192.168.13.0/24 nor 10.0.88.0/24.
>
> The problem is not with the VPN server, because I can connect to it
> from Windows 10, and all routes pushed by the server are correctly
> added to the routing table.
>
I found this: Split-Tunneling with IKEv2
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Split-Tunneling-with-IKEv2
In particular, it says that "most remote access clients will propose
0.0.0.0/0 as remote traffic selector, so split-tunneling must be
configured on the gateway" and "all strongswan based clients support
this kind of narrowing". It confirms that it should work.
I have checked the logs again and I found this in it:
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] IKE_SA
laci at my.server.hu[2] established between 192.168.14.2[C=HU, ST=Heves,
L=Eger, O=my.server.hu,
CN=laci at vpn.my.server.hu]...1.2.3.5[vpn.my.server.hu]
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] scheduling rekeying in 35488s
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] maximum IKE_SA lifetime 36088s
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] handling
INTERNAL_IP4_NETMASK attribute failed
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] handling
INTERNAL_IP4_SUBNET attribute failed
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] handling
INTERNAL_IP4_SUBNET attribute failed
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] installing new virtual IP
10.0.88.100
Dec 22 14:10:59 laci-ryzen avahi-daemon[1177]: Registering new address
record for 10.0.88.100 on enp5s0.IPv4.
Dec 22 14:10:59 laci-ryzen charon: 05[KNL] 10.0.88.100 appeared on enp5s0
I think that these "INTERNAL_IP4_SUBNET attribute failed" messages are
emitted because the client cannot add the policies for the subnets.
There are 3 subnets specified in split-include. The first one is always
added, and there are 2 error messages for the remaining two. This is
only a guess, I'm not sure.
But where is the error coming from? The "attribute handling failed"
message is not too useful for finding the root of the problem.
It could be because lack of permissions - but that is unlikely. It can
always add the first subnet, probably the user has permission many of them.
I'm clueless.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201225/085bea79/attachment.html>
More information about the Users
mailing list