[strongSwan] StrongSwan w/ multiple local subnets.

[TomK]

Hello,

I have an Asus router using DD-WRT. On this router I've enabled ospf. 
The router sits on VLAN1: 192.168.0.0/24


There are two more VLAN's within the space:


VLAN2: 10.0.0.0/24
VLAN3: 10.1.0.0/24
VLAN4: 10.2.0.0/24
VLAN5: 10.3.0.0/24

I've installed StrongSwan on top of this router and looking to configure 
site-to-site VLAN via IKEv2 to 4 more external VLAN's:

VLAN1: 10.10.0.0/24
VLAN2: 10.10.1.0/24
VLAN3: 10.10.2.0/24
VLAN4: 10.10.3.0/24

So my config looks like this:

/opt/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
         # strictcrlpolicy=yes
         # uniqueids = no

# Add connections here.

conn REMOTE-VLAN1
         authby=secret
         auto=start
         type=tunnel
         keyexchange=ikev2
         keylife=3600s
         ikelifetime=28800s
         left=100.100.100.100
         leftsubnet=192.168.0.0/24
         # leftnexthop=%defaultroute
         right=123.123.123.123

rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24
         ike=aes256-sha1-modp1024
         esp=aes256-sha1

conn REMOTE-VLAN2
         authby=secret
         auto=start
         type=tunnel
         keyexchange=ikev2
         keylife=3600s
         ikelifetime=28800s
         left=100.100.100.100
         leftsubnet=10.0.0.0/24
         # leftnexthop=%defaultroute
         right=123.123.123.123

rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24
         ike=aes256-sha1-modp1024
         esp=aes256-sha1

conn REMOTE-VLAN5
         authby=secret
         auto=start
         type=tunnel
         keyexchange=ikev2
         keylife=3600s
         ikelifetime=28800s
         left=100.100.100.100
         leftsubnet=10.3.0.0/24
         # leftnexthop=%defaultroute
         right=123.123.123.123

rightsubnet=10.10.0.0/24,10.10.1.0/24,10.10.2.0/24,10.10.3.0/24,10.10.4.0/24
         ike=aes256-sha1-modp1024
         esp=aes256-sha1



root at ASUS01:~# ipsec status
Security Associations (1 up, 0 connecting):
  REMOTE-VLAN1[1]: ESTABLISHED 3 seconds ago, 100.100.100.100 
[100.100.100.100 ]...123.123.123.123[123.123.123.123]
  REMOTE-VLAN1{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 
ada5f39c_i a96955ba_o
  REMOTE-VLAN1{1}:   192.168.0.0/24 === 10.10.0.0/24 10.10.1.0/24 
10.10.2.0/24 10.10.3.0/24 10.10.4.0/24
root at ASUS01:~#

Just by the effect of the configuration file and what is happening on 
restart, doesn't appear I can create any other VLAN routes other then 
from the VLAN I'm currently on.

How do I effectively make a site-to-site VPN configuration using 
StrongSwan between all 10 VLAN's?

Additionally, for the VLAN that does have a tunnel created, I can ping a 
local (left) subnet directly but not vice versa.

I'm interested in the correct configuration to use first since I'm very 
new to this.  If this still doesn't work, I'll post the logs from a good 
known configuration.

-- 
Thx,
TK.