Not sure if this actually fixed it, and not sure how I reason about it, but I had some success by setting all instances of “auto=start” to “auto=route” save for the last entry.
Prez Cannady e: [email protected] <mailto:[email protected]> h: https://revprez.github.io <https://revprez.github.io/> > On Dec 20, 2017, at 7:14 PM, Prez Cannady <[email protected]> wrote: > > Hoping someone can help me out here. > > I’m trying to configure a site-to-site IKEv1 connection to a remote host > managed by another firm. I need to be able to route traffic to to two > right-side subnets, 10.0.51.0/24 and 10.0.20.0/24. I’m unable to simply > declare 10.0.0.0/16 as the right-side subnet as doing so would conflict with > addresses that I need to resolve in our local network. > > However, when activated with this configuration, only the last configured > child connection enables (in this case subnet02). Commenting out the subnet02 > block enables routing to subnet01. > > It seems this child connection approach is the proper one for ikev1, but I > could be wrong. > https://lists.strongswan.org/pipermail/users/2012-March/002746.html > <https://lists.strongswan.org/pipermail/users/2012-March/002746.html> > > I suspect I’m missing something very simple, but any help would be > appreciated. > > Gist available here: > https://gist.github.com/revprez/b6ae775b02cc2009721d2eadf950cd72 > <https://gist.github.com/revprez/b6ae775b02cc2009721d2eadf950cd72> > > conn common > authby=psk > type=tunnel > ike=... > ikelifetime=28800s > esp=... > keylife=3600s > keyingtries=%forever > keyexchange=ikev1 > left=%defaultroute > leftid=... > leftsubnet=... > right=... > dpddelay=10 > dpdtimeout=30 > dpdaction=restart > installpolicy=yes > auto=start > > conn subnet01 > also=common > rightsubnet=10.0.51.0/24 > auto=start > > conn subnet02 > also=common > rightsubnet=10.0.20.0/24 > auto=start > > > > > Prez Cannady > e: [email protected] <mailto:[email protected]> > h: https://revprez.github.io <https://revprez.github.io/> > > > > > > >
