[GitHub] mlimalotic opened a new issue #3138: StrongSwan with several rightsubnet's - ikev1

Fri, 18 Jan 2019 11:36:40 -0800 

mlimalotic opened a new issue #3138: StrongSwan with several rightsubnet's - 
ikev1
URL: https://github.com/apache/cloudstack/issues/3138
 
 
   <!--
   Verify first that your issue/request is not already reported on GitHub.
   Also test if the latest release and master branch are affected too.
   Always add information AFTER of these HTML comments, but no need to delete 
the comments.
   -->
   
   ##### ISSUE TYPE
   <!-- Pick one below and delete the rest -->
    * Bug Report
   
   ##### COMPONENT NAME
   <!--
   Categorize the issue, e.g. API, VR, VPN, UI, etc.
   -->
   ~~~
   VR
   StrongSwan
   ~~~
   
   ##### CLOUDSTACK VERSION
   <!--
   New line separated list of affected versions, commit ID for issues on master 
branch.
   -->
   
   ~~~
   ACS 4.11.2.0
   ~~~
   
   ##### CONFIGURATION
   <!--
   Information about the configuration if relevant, e.g. basic network, 
advanced networking, etc.  N/A otherwise
   -->
   Advanced Network
   VPC
   
   ##### OS / ENVIRONMENT
   <!--
   Information about the environment if relevant, N/A otherwise
   -->
   
   
   ##### SUMMARY
   <!-- Explain the problem/feature briefly -->
   After upgrading ACS from 4.9.3 (openswan) to 4.11.2 (strongswan), all VPNs 
with multiple networks have stopped working. Only one of the networks declared 
in the encryption domain passed traffic.
   
   
rightsubnet=192.168.198.0/23,192.168.208.0/23,192.168.170.0/23,192.168.234.0/23,192.168.69.0/24
   
   I changed the configuration manually by creating different Child SAs, one 
for each network, now all networks work.
   https://lists.strongswan.org/pipermail/users/2015-November/008966.html
   
   
   Example:
   #conn for vpn-4.3.2.1
   conn vpn-4.3.2.1
    left=1.2.3.4
    leftsubnet=192.168.101.0/24
    right=4.3.2.1
    type=tunnel 
    authby=secret 
    keyexchange=ike
    ike=aes128-sha1-modp1024
    ikelifetime=1h 
    esp=aes128-sha1-modp1024
    lifetime=8h 
    keyingtries=2
    auto=start
    forceencaps=no
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart
   
   conn net-192.168.198.0
    also=vpn-4.3.2.1
    rightsubnet=192.168.198.0/23
    auto=start
   
   conn net-192.168.208.0
    also=vpn-4.3.2.1
    rightsubnet=192.168.208.0/23
    auto=start
   
   conn net-192.168.170.0
    also=vpn-4.3.2.1
    rightsubnet=192.168.170.0/23
    auto=start
   
   conn net-192.168.234.0
    also=vpn-4.3.2.1
    rightsubnet=192.168.234.0/23
    auto=start
   
   conn net-192.168.69.0
    also=vpn-4.3.2.1
    rightsubnet=192.168.69.0/24
    auto=start

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to