[strongSwan] help setting up connection for 1 type of traffic

Lewis Robson robsonl at conscious.co.uk
Wed Jul 14 13:00:41 CEST 2021


third one! ive figured it, i think, removing the subnet line seems to be 
doing the job, i think?


On 14/07/2021 11:42, Lewis Robson wrote:
> Just a follow up, its the auto line that stops connection, not the type
>
>
> Thanks
>
>
> On 14/07/2021 11:30, Lewis Robson wrote:
>> Hello all.
>>
>> Ive been stuck on this one for many, many hours now!
>>
>> I am trying to set up a connection (split routing?) that will allow 1 
>> type of traffic, and the rest will be normally routed through the 
>> users device as per there usual connection.
>>
>> e.g. if they hit x ip address with y service, it will be allowed 
>> through, otherwise if they went to google and did a whats my ip, 
>> there current ip will show and not the ipsec ip.
>>
>>
>>
>> with my current set up, ipsec is working but users get the ipsec ip, 
>> if i set to transport mode, I can still connect to the vpn however it 
>> stops me being able to ssh on until i stop the strongswan service)
>>
>> here is my config
>>
>> conn into-ext-vpn
>>         auto=route
>>         compress=no
>>         type=tunnel
>>         keyexchange=ikev2
>>         fragmentation=yes
>>         forceencaps=yes
>>         dpdaction=clear
>>         dpddelay=300s
>>         rekey=no
>>         left=%any
>>         leftid=servers external ip
>>         leftcert=server-cert.pem
>>         leftsendcert=always
>>         leftsubnet=0.0.0.0/0
>>         right=%any
>>         rightid=%any
>>         rightauth=eap-mschapv2
>>         rightsourceip=10.0.3.0/24
>>         rightdns=8.8.8.8,8.8.4.4
>>         rightsendcert=never
>>         eap_identity=%identity
>> ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024! 
>>
>> esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1! 
>>
>>
>>
>> please can someone advise on how to go about setting it up so that i 
>> can have users connect in when they request 1 specific service, 
>> otherwise they continue to use there current network
>>
>>
>> thankyou
>>
>>
-- 
Lewis Robson
Systems Administrator
Conscious Solutions Limited

Tel: 0117 325 0200
Web: https://www.conscious.co.uk



More information about the Users mailing list