Greetings,
I’m trying to set up what should be a simple split tunnel configuration and am
having issues. The client is on a NAT subnet so I have
leftsubnet=192.168.1.0/24. I want everything except traffic for the LAN to go
out the IPsec tunnel so I have rightsubnet=0.0.0.0/0. The tunnel comes up fine
but _all_ traffic goes out the tunnel, even traffic destined for
192.168.1.0/24. If I try to ping some other host on the local subnet I can see
the ICMP request on the VPN server where it shouldn’t be. The VPN server can
(as expected) send an ICMP to a host on the LAN. I’ve tried both with and
without lefthostaccess=yes (which I though would basically control split
tunneling).
Both servers are Debian Wheezy using the Strongswan 4.X packages. I can try the
Strongswan 5.X packages from back ports but my impression is that this should
work just fine. It’s not a complex configuration so I’m kind of stumped as to
why it’s not working. I’m thinking that if I use ‘setkey -DP’ on the client I
should see a rule matching 192.168.1.0/24 - 192.168.1.0/24 to keep the local
traffic out of the tunnel? Or is there some other method I should be checking?
Any advice would be appreciated. Thanks,
-David Mitchell
On the server:
conn toclient
keyexchange=ikev2
left=1.1.1.1
leftid=1.1.1.1
leftcert=serverCert.der
leftsubnet=0.0.0.0/0
rightcert=clientCert.pem
right=%any
# righthostaccess=yes
rightsubnet=192.168.1.0/24
auto=add
On the client:
conn toserver
keyexchange=ikev2
right=1.1.1.1
rightcert=serverCert.der
rightsubnet=0.0.0.0/0
leftsubnet=192.168.1.0/24
leftcert=clientCert.pem
# lefthostaccess=yes
auto=add
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
