Re: [strongSwan] separate routes for VPN and Internet traffic: can this form of "split tunneling" be configured in ipsec.conf?

Zhuyj Mon, 01 Jun 2015 20:38:57 -0700

I like this method

发自我的 iPhone


> 在 2015年6月2日，3:15，Alan Tu <[email protected]> 写道：
> 
> Thanks Noel for repeatedly taking a look.
> 
> My workaround is to modify routing table 220, changing the default
> route back to the original LAN IP and then explicitly routing the VPN
> subnet over the VPN virtual IP. May not be pretty, but it works.
> 
> Alan
> 
> 
>> On 6/1/15, Noel Kuntze <[email protected]> wrote:
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>> 
>> Hello Alan,
>> 
>> Yes, looks like that vendor's implementation is borked.
>> 
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>> 
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> 
>>> Am 01.06.2015 um 21:12 schrieb Alan Tu:
>>> Hi Noel, I have rightsubnet=10.0.0.0/8 and no leftsubnet entry.
>>> 
>>> Fresh tested from scratch, pristine VM image, downloaded, compiled and
>>> installed Strongswan. ipsec.conf [1] and syslog [2] are below. We have
>>> an out of band two factor authentication mechanism, which I did
>>> successfully authenticate to.
>>> 
>>> Perhaps this VPN software/appliance vendor implementation isn't
>>> compatible with what I want to do? Or at least the way I'm specifying
>>> it in the client configuration.
>>> 
>>> Alan
>>> 
>>> Notes:
>>> [1]
>>> conn %default
>>>    ikelifetime=20
>>>    reauth=yes
>>>    rekey=yes
>>>    keylife=10m
>>>    rekeymargin=3m
>>>    rekeyfuzz=0%
>>>    keyingtries=1
>>>    type=tunnel
>>> 
>>> conn vpn
>>>    keyexchange=ikev1
>>>    ikelifetime=1440m
>>>    keylife=60m
>>>    aggressive=yes
>>>    ike=aes-sha1-modp1024
>>>    esp=aes-sha1
>>>    xauth=client
>>>    left=%any
>>>    leftid=keyid:[redacted]
>>>    leftsourceip=%modeconfig
>>>    leftauth=psk
>>>    rightauth=psk
>>>    leftauth2=xauth
>>>    right=[redacted]
>>>    rightsubnet=10.0.0.0/8
>>>    xauth_identity=[redacted]
>>>    auto=add
>>> 
>>> conn lan
>>>    leftsubnet=172.31.0.0/16
>>>    rightsubnet=172.31.0.0/16
>>>    authby=never
>>>    type=passthrough
>>>    auto=route
>>> 
>>> [2] syslog
>>> Jun  1 18:53:40 ip-172-31-37-117 charon: 03[CFG] received stroke: initiate
>>> 'vpn'
>>> Jun  1 18:53:40 ip-172-31-37-117 charon: 01[IKE] initiating Aggressive
>>> Mode IKE_SA vpn[1] to [VPN_gateway]
>>> Jun  1 18:53:40 ip-172-31-37-117 charon: 01[ENC] generating AGGRESSIVE
>>> request 0 [ SA KE No ID V V V V ]
>>> Jun  1 18:53:40 ip-172-31-37-117 charon: 01[NET] sending packet: from
>>> 172.31.36.65[500] to [VPN_gateway][500] (384 bytes)
>>> Jun  1 18:53:40 ip-172-31-37-117 charon: 10[NET] received packet: from
>>> [VPN_gateway][500] to 172.31.36.65[500] (396 bytes)
>>> Jun  1 18:53:40 ip-172-31-37-117 charon: 10[ENC] parsed AGGRESSIVE
>>> response 0 [ SA KE No ID HASH V V NAT-D NAT-D V V ]
>>> Jun  1 18:53:40 ip-172-31-37-117 charon: 10[IKE] received XAuth vendor ID
>>> Jun  1 18:53:40 ip-172-31-37-117 charon: 10[IKE] received NAT-T (RFC
>>> 3947) vendor ID
>>> Jun  1 18:53:40 ip-172-31-37-117 charon: 10[IKE] received DPD vendor ID
>>> Jun  1 18:53:40 ip-172-31-37-117 charon: 10[ENC] received unknown
>>> vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
>>> Jun  1 18:53:40 ip-172-31-37-117 charon: 10[IKE] local host is behind
>>> NAT, sending keep alives
>>> Jun  1 18:53:40 ip-172-31-37-117 charon: 10[ENC] generating AGGRESSIVE
>>> request 0 [ NAT-D NAT-D HASH ]
>>> Jun  1 18:53:40 ip-172-31-37-117 charon: 10[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (108 bytes)
>>> Jun  1 18:53:41 ip-172-31-37-117 charon: 11[NET] received packet: from
>>> [VPN_gateway][4500] to 172.31.36.65[4500] (76 bytes)
>>> Jun  1 18:53:41 ip-172-31-37-117 charon: 11[ENC] parsed TRANSACTION
>>> request 783318293 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
>>> Jun  1 18:53:41 ip-172-31-37-117 charon: 11[ENC] generating
>>> TRANSACTION response 783318293 [ HASH CPRP(X_USER X_PWD) ]
>>> Jun  1 18:53:41 ip-172-31-37-117 charon: 11[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (108 bytes)
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 05[NET] received packet: from
>>> [VPN_gateway][4500] to 172.31.36.65[4500] (76 bytes)
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 05[ENC] parsed TRANSACTION
>>> request 703099895 [ HASH CPS(X_STATUS) ]
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 05[IKE] XAuth authentication
>>> of 'user' (myself) successful
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 05[IKE] IKE_SA vpn[1]
>>> established between 172.31.36.65[group]...[VPN_gateway][[VPN_gateway]]
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 05[IKE] scheduling
>>> reauthentication in 86220s
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 05[IKE] maximum IKE_SA lifetime
>>> 86400s
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 05[ENC] generating
>>> TRANSACTION response 703099895 [ HASH CPA(X_STATUS) ]
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 05[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (76 bytes)
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 05[ENC] generating
>>> TRANSACTION request 4226299460 [ HASH CPRQ(ADDR DNS) ]
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 05[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (76 bytes)
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 13[NET] received packet: from
>>> [VPN_gateway][4500] to 172.31.36.65[4500] (92 bytes)
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 13[ENC] parsed TRANSACTION
>>> response 4226299460 [ HASH CPRP(ADDR DNS DNS) ]
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 13[IKE] installing DNS server
>>> 10.100.15.5 via resolvconf
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 13[IKE] installing DNS server
>>> 10.100.24.250 via resolvconf
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 13[IKE] installing new
>>> virtual IP 10.100.4.5
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 13[ENC] generating QUICK_MODE
>>> request 675444149 [ HASH SA No ID ID ]
>>> Jun  1 18:53:49 ip-172-31-37-117 charon: 13[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (204 bytes)
>>> Jun  1 18:53:53 ip-172-31-37-117 charon: 02[IKE] sending retransmit 1
>>> of request message ID 675444149, seq 4
>>> Jun  1 18:53:53 ip-172-31-37-117 charon: 02[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (204 bytes)
>>> Jun  1 18:54:01 ip-172-31-37-117 charon: 10[IKE] sending retransmit 2
>>> of request message ID 675444149, seq 4
>>> Jun  1 18:54:01 ip-172-31-37-117 charon: 10[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (204 bytes)
>>> Jun  1 18:54:14 ip-172-31-37-117 charon: 05[IKE] sending retransmit 3
>>> of request message ID 675444149, seq 4
>>> Jun  1 18:54:14 ip-172-31-37-117 charon: 05[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (204 bytes)
>>> Jun  1 18:54:33 ip-172-31-37-117 charon: 15[IKE] sending keep alive to
>>> [VPN_gateway][4500]
>>> Jun  1 18:54:37 ip-172-31-37-117 charon: 13[IKE] sending retransmit 4
>>> of request message ID 675444149, seq 4
>>> Jun  1 18:54:37 ip-172-31-37-117 charon: 13[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (204 bytes)
>>> Jun  1 18:54:56 ip-172-31-37-117 charon: 16[IKE] sending keep alive to
>>> [VPN_gateway][4500]
>>> Jun  1 18:55:16 ip-172-31-37-117 charon: 02[IKE] sending keep alive to
>>> [VPN_gateway][4500]
>>> Jun  1 18:55:19 ip-172-31-37-117 charon: 01[IKE] sending retransmit 5
>>> of request message ID 675444149, seq 4
>>> Jun  1 18:55:19 ip-172-31-37-117 charon: 01[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (204 bytes)
>>> Jun  1 18:55:38 ip-172-31-37-117 charon: 11[IKE] sending keep alive to
>>> [VPN_gateway][4500]
>>> Jun  1 18:55:58 ip-172-31-37-117 charon: 12[IKE] sending keep alive to
>>> [VPN_gateway][4500]
>>> Jun  1 18:56:18 ip-172-31-37-117 charon: 05[IKE] sending keep alive to
>>> [VPN_gateway][4500]
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 14[KNL] creating delete job
>>> for CHILD_SA ESP/0xc6eb89db/172.31.36.65
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 14[JOB] CHILD_SA
>>> ESP/0xc6eb89db/172.31.36.65 not found for delete
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 13[IKE] giving up after 5
>>> retransmits
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 13[IKE] installing new
>>> virtual IP 10.100.4.5
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 13[IKE] initiating Aggressive
>>> Mode IKE_SA vpn[2] to [VPN_gateway]
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 13[ENC] generating AGGRESSIVE
>>> request 0 [ SA KE No ID V V V V ]
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 13[NET] sending packet: from
>>> 172.31.36.65[500] to [VPN_gateway][500] (384 bytes)
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 04[NET] received packet: from
>>> [VPN_gateway][500] to 172.31.36.65[500] (396 bytes)
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 04[ENC] parsed AGGRESSIVE
>>> response 0 [ SA KE No ID HASH V V NAT-D NAT-D V V ]
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 04[IKE] received XAuth vendor ID
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 04[IKE] received NAT-T (RFC
>>> 3947) vendor ID
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 04[IKE] received DPD vendor ID
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 04[ENC] received unknown
>>> vendor ID: a9:b9:b1:03:4f:7e:50:a2:51:3b:47:b1:00:bb:85:a9
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 04[IKE] local host is behind
>>> NAT, sending keep alives
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 04[ENC] generating AGGRESSIVE
>>> request 0 [ NAT-D NAT-D HASH ]
>>> Jun  1 18:56:34 ip-172-31-37-117 charon: 04[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (108 bytes)
>>> Jun  1 18:56:35 ip-172-31-37-117 charon: 16[NET] received packet: from
>>> [VPN_gateway][4500] to 172.31.36.65[4500] (76 bytes)
>>> Jun  1 18:56:35 ip-172-31-37-117 charon: 16[ENC] parsed TRANSACTION
>>> request 260202080 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
>>> Jun  1 18:56:35 ip-172-31-37-117 charon: 16[ENC] generating
>>> TRANSACTION response 260202080 [ HASH CPRP(X_USER X_PWD) ]
>>> Jun  1 18:56:35 ip-172-31-37-117 charon: 16[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (108 bytes)
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 10[NET] received packet: from
>>> [VPN_gateway][4500] to 172.31.36.65[4500] (76 bytes)
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 10[ENC] parsed TRANSACTION
>>> request 1809935207 [ HASH CPS(X_STATUS) ]
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 10[IKE] XAuth authentication
>>> of 'user' (myself) successful
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 10[IKE] IKE_SA vpn[2]
>>> established between 172.31.36.65[group]...[VPN_gateway][[VPN_gateway]]
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 10[IKE] scheduling
>>> reauthentication in 86220s
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 10[IKE] maximum IKE_SA lifetime
>>> 86400s
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 10[ENC] generating
>>> TRANSACTION response 1809935207 [ HASH CPA(X_STATUS) ]
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 10[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (76 bytes)
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 10[ENC] generating
>>> TRANSACTION request 150801322 [ HASH CPRQ(ADDR DNS) ]
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 10[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (76 bytes)
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 11[NET] received packet: from
>>> [VPN_gateway][4500] to 172.31.36.65[4500] (92 bytes)
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 11[ENC] parsed TRANSACTION
>>> response 150801322 [ HASH CPRP(ADDR DNS DNS) ]
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 11[IKE] installing DNS server
>>> 10.100.15.5 via resolvconf
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 11[IKE] installing DNS server
>>> 10.100.24.250 via resolvconf
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 11[IKE] installing new
>>> virtual IP 10.100.4.2
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 11[ENC] generating QUICK_MODE
>>> request 1932673650 [ HASH SA No ID ID ]
>>> Jun  1 18:56:45 ip-172-31-37-117 charon: 11[NET] sending packet: from
>>> 172.31.36.65[4500] to [VPN_gateway][4500] (204 bytes)
>>> Jun  1 18:56:49 ip-172-31-37-117 charon: 16[IKE] sending retransmit 1
>>> of request message ID 1932673650, seq 4
>>> Jun  1 18:56:49 ip-172-31-37-117 charo

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] separate routes for VPN and Internet traffic: can this form of "split tunneling" be configured in ipsec.conf?

Reply via email to