[strongSwan] help setting up connection for 1 type of traffic

Lewis Robson robsonl at conscious.co.uk
Wed Jul 14 12:30:23 CEST 2021


Hello all.

Ive been stuck on this one for many, many hours now!

I am trying to set up a connection (split routing?) that will allow 1 
type of traffic, and the rest will be normally routed through the users 
device as per there usual connection.

e.g. if they hit x ip address with y service, it will be allowed 
through, otherwise if they went to google and did a whats my ip, there 
current ip will show and not the ipsec ip.



with my current set up, ipsec is working but users get the ipsec ip, if 
i set to transport mode, I can still connect to the vpn however it stops 
me being able to ssh on until i stop the strongswan service)

here is my config

conn into-ext-vpn
         auto=route
         compress=no
         type=tunnel
         keyexchange=ikev2
         fragmentation=yes
         forceencaps=yes
         dpdaction=clear
         dpddelay=300s
         rekey=no
         left=%any
         leftid=servers external ip
         leftcert=server-cert.pem
         leftsendcert=always
         leftsubnet=0.0.0.0/0
         right=%any
         rightid=%any
         rightauth=eap-mschapv2
         rightsourceip=10.0.3.0/24
         rightdns=8.8.8.8,8.8.4.4
         rightsendcert=never
         eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!


please can someone advise on how to go about setting it up so that i can 
have users connect in when they request 1 specific service, otherwise 
they continue to use there current network


thankyou




More information about the Users mailing list