[strongSwan] local_ts/remote_ts (split tunneling) trouble
Constantin Jacob
cjacob at fastmail.com
Mon Feb 17 11:39:24 CET 2020
Hey,
I have carefully read through previous archived posts on here about this topic and have also made it all the way to page 10 in Google search before giving up. So far I wasn't able to find anything that was able to help me.
I am trying to setup split tunneling in swanctl.conf server side, so on the responder end. I am struggling a bit with the terminology but I get better, please correct if I am wrong. The initiator is an iPhone running iOS 13.3.
In a previous E-Mail thread here I have stumbled onto this which has helped me in many ways:
The leftsubnet parameter controls what source addresses in an IP packet are valid for tunneling.
The rightsubnet parameter controls what destination addresses in an IP packet are valid for tunneling.
Those two constraints are used to find out what packets should go through the tunnel by checking
the source and destination and seeing if both match.
I had a base config that is working great with my iPhone but it sends everything through the tunnel, with local_ts set to 0.0.0.0/0.
In order to get my feet wet I figured I try to remove everything but the IP of my own web server and go from there, since I could watch the access logs and see the IP there as a form of verification (I have another server in another range that was watching as well). Setting that IP range in remote_ts leads to the iPhone being unable to establish any internet connections anymore
This is my current config. Commenting out the remote_ts line leads to a perfectly working connection again.
connections {
ikev2_iphoneos {
version = 2
proposals = aes256-sha384-ecp384,default
rekey_time = 0s
pools = dhcp_ipv4
fragmentation = yes
mobike = yes
encap = yes
send_cert = always
dpd_delay = 90s
local {
cert_gateway {
file = .crt
}
id =
}
remote {
auth = eap-mschapv2
eap_id = %any
}
children {
ikev2_iphoneos {
mode = tunnel
local_ts = 0.0.0.0/0
remote_ts = 212.12.47.1/29, 8.8.0.0/16
rekey_time = 0s
dpd_action = clear
esp_proposals = aes256gcm16-ecp384,default
}
}
}
}
pools {
dhcp_ipv4 {
addrs = 10.99.0.0/16
dns = 8.8.4.4, 8.8.8.8
}
}
secrets {
ecdsa_gateway {
id =
file = .key
}
}
I then tried setting local_ts to the public IPv4 address of my server which leads to a perfectly working connection but effectively nothing being tunneled anymore. My guess right now is that local_ts is always wrong and I can't use 0.0.0.0/0 since that would mean everything. I have tried setting it to the virtual IP range but that leads to errors being thrown server side (responder) while establishing the connection.
Thank you very much for any help in advance!
Best
CJ
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200217/1ea2b6fd/attachment-0001.html>
More information about the Users
mailing list