[strongSwan] Configuration recommendations for multi-WAN roadwarrior setup

Thu Jan 2 12:45:51 CET 2020

Hi,

happy new year! Many thanks for the great project and the support.

I'm currently trying to find a good configuration for the following 
setup, but I was unsuccessful so far:
  * strongswan gateway with 2 WAN interfaces on an Edgerouter POE:
     * WAN1: IPv4 static private IP-address 192.168.240.2/24 behind a 
pfSense-Firewall (192.168.240.1) and dynamic IP allocation
     * WAN2: public DSL uplink with static IP address
     * LAN: 172.16.0.0/24

WAN1 is the primary (fast) internet uplink for the network, WAN2 is only 
used for static routes and manual fail-over.

To access WAN1 a client has to connect to a 802.11x-enabled WiFi and 
will receive an IP for 192.168.240.0/24.
To access WAN2 a client can contact the static IP.

Goal for the VPN: the users should be able to access LAN from both 
WAN-ports.
I was able to setup two simple configurations for both (see below), but 
I have to add a static route for the WAN2-roadwarriors to allow correct 
routing.

My question: are there any configuration combinations (route-based vpn, 
custom scripts, etc.) that allow the correct routing?
Many thanks for your help and recommendations.

Cheers

/M

# ipsec version
Linux strongSwan U5.6.3/K4.9.79-UBNT

---------------------------
ipsec.conf:
config setup
     uniqueids=no
     strictcrlpolicy=yes

ca myca
         cacert=/config/user-data/ipsec.d/cacerts/my_CA.crt
     auto=add

conn vpn-base
     keyexchange=ikev2
     dpdaction=clear
     dpddelay=60s
     leftid="..."
     leftsubnet=172.16.0.0/24
     leftcert=/config/user-data/ipsec.d/certs/my.crt
     leftsendcert=always
     leftfirewall=yes
     right=%any
     rightsourceip=192.168.200.10-192.168.200.30
     rightdns=172.16.0.1
         rightauth=pubkey

conn WAN1
         also=vpn-base
     left=192.168.240.2
     auto=add

conn WAN2
         also=vpn-base
     left=XXX.XXX.142.228
     auto=add
---------------------------

---------------------------
# ip xfrm policy
src 172.16.0.0/24 dst 192.168.200.10/32
     dir out priority 371327
     tmpl src XXX.XXX.142.228 dst YYY.YYY.243.68
         proto esp spi 0xc68d7927 reqid 1 mode tunnel
src 192.168.200.10/32 dst 172.16.0.0/24
     dir fwd priority 371327
     tmpl src YYY.YYY.243.68 dst XXX.XXX.142.228
         proto esp reqid 1 mode tunnel
src 192.168.200.10/32 dst 172.16.0.0/24
     dir in priority 371327
     tmpl src YYY.YYY.243.68 dst XXX.XXX.142.228
         proto esp reqid 1 mode tunnel
---------------------------

---------------------------
# ip route
default via 192.168.240.2 dev eth1 proto zebra
YYY.YYY.0.0/12 via XXX.XXX.142.228 dev pppoe0 proto zebra
---------------------------