Hi Peter, > ipsec tunnels build from inside should have [...] > ipsec tunnels build from outside (Internet) should have [...] > > Is there a way to extend/modify the config to get this behaviour?
You can define two different configurations, one for internal, one for external connections. The tricky part is to select the correct configuration for internal and external clients. One way would be to select the config by identities, but you probably want to use the same identities (and client configuration) for internal and external connections. Another approach is to select the config based on client addresses. But we currently do not support subnet matching for a client address, so you would end up in configuring a connection for each possible client address. The way to go is probably gateway address matching, as your gateway probably uses an internal and an external address. Defining the internal config with the gateway address left=10.x.y.z will select the internal config for clients connecting to this address. The external config having a left=external address will select the external config for clients connecting from the Internet. Even a %any definition should work for your external connection if your gateway lacks a static IP. Regards Martin _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users