Got it working. I created a virtual interface and used different left IP addresses. Now I can connect to both networks.
Regards, On Tue, Mar 26, 2013 at 10:57 AM, Arun G Nair <[email protected]> wrote: > Any clue on what might be happening ? > > On Tue, Mar 26, 2013 at 1:40 AM, Arun G Nair <[email protected]> wrote: >> Hi, >> >> I'm trying to connect to a Fortigate vpn gateway with Strongswan >> 5.0.2 from linux. I've used parameters from windows fortinet ipsec >> client (config below) and I'm able to successfully connect to the >> gateway. But I can't connect to multiple remote subnets at the same >> time. I can only connect to the last subnet defined. If I re-order the >> definitions, I can connect to the other subnet. I've done this before >> with site to site vpn connections but this is a road warrior set up. >> What am I missing here ? >> >> >> PS: I've not tried connecting to network-mgmt. That was in the docs >> provided for fortinet on windows, but I don't have any servers in that >> subnet. >> >> [~]> cat /opt/strongswan/etc/ipsec.conf >> # ipsec.conf - strongSwan IPsec configuration file >> >> # basic configuration >> >> config setup >> # strictcrlpolicy=yes >> uniqueids=never >> #charondebug="dmn 1, mgr 1, ike 2, chd 1, job 1, cfg 3, knl 2, net 2, >> enc 1, lib 1" >> >> conn %default >> ikelifetime=8h >> keylife=30m >> rekeymargin=3m >> keyingtries=3 >> keyexchange=ikev1 >> ike=3des-sha-modp1536,aes-sha-modp1536 >> esp=3des-sha-modp1536,aes-sha-modp1536 >> aggressive=yes >> authby=secret >> >> conn network >> left=192.168.1.12 >> leftid=user >> right=gateway.net >> rightid=vv.xx.yy.zz >> >> conn network-mgmt >> also=network >> rightsubnet=xx.yy.248.8/29 >> auto=start >> >> conn network-trust >> also=network >> rightsubnet=xx.yy.248.32/28 >> auto=start >> >> conn network-dmz >> also=network >> rightsubnet=xx.yy.248.48/28 >> auto=start >> >> >> [~]> sudo /opt/strongswan/sbin/ipsec statusall >> Status of IKE charon daemon (strongSwan 5.0.2, Linux >> 2.6.32-358.2.1.el6.i686, i686): >> uptime: 7 seconds, since Mar 26 01:24:51 2013 >> malloc: sbrk 135168, mmap 0, used 95552, free 39616 >> worker threads: 8 of 16 idle, 7/1/0/0 working, job queue: 0/0/0/0, >> scheduled: 3 >> loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 >> revocation constraints pubkey pkcs1 pkcs8 pgp dn >> skey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve >> socket-default stroke updown xauth-generic >> Listening IP addresses: >> 192.168.1.12 >> Connections: >> network-mgmt: 192.168.1.12...gateway.net IKEv1 Aggressive >> network-mgmt: local: [user] uses pre-shared key authentication >> network-mgmt: remote: [vv.xx.yy.zz] uses pre-shared key authentication >> network-mgmt: child: dynamic === xx.yy.248.8/29 TUNNEL >> network-trust: child: dynamic === xx.yy.248.32/28 TUNNEL >> network-dmz: child: dynamic === xx.yy.248.48/28 TUNNEL >> Security Associations (1 up, 0 connecting): >> network-mgmt[1]: ESTABLISHED 6 seconds ago, >> 192.168.1.12[user]...vv.xx.yy.zz[vv.xx.yy.zz] >> network-mgmt[1]: IKEv1 SPIs: a3676024cee6d6d2_i* b8f961a5eedca572_r, >> pre-shared key reauthentication in 7 hours >> network-mgmt[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 >> network-mgmt{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c99b5d07_i 381c7157_o >> network-mgmt{1}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 24 minutes >> network-mgmt{1}: 192.168.1.12/32 === xx.yy.248.8/29 >> network-trust{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: c44f6125_i 381c7158_o >> network-trust{2}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 25 minutes >> network-trust{2}: 192.168.1.12/32 === xx.yy.248.32/28 >> network-dmz{3}: INSTALLED, TUNNEL, ESP in UDP SPIs: c2348492_i 381c7159_o >> network-dmz{3}: 3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, >> rekeying in 24 minutes >> network-dmz{3}: 192.168.1.12/32 === xx.yy.248.48/28 >> >> >> >> [~]> cat /opt/strongswan/etc/ipsec.secrets >> user : PSK passphrase >> >> >> Any help is appreciated. >> >> Regards, >> Arun G Nair > > > > -- > ::: Keep Smiling ::: -- ::: Keep Smiling ::: _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
