Hello M, Disable route installation in strongSwan and manage them as you yourself see fit. IPsec will work regardless.
Kind regards Noel Am 02.01.20 um 12:45 schrieb /M: > Hi, > > happy new year! Many thanks for the great project and the support. > > I'm currently trying to find a good configuration for the following setup, > but I was unsuccessful so far: > * strongswan gateway with 2 WAN interfaces on an Edgerouter POE: > * WAN1: IPv4 static private IP-address 192.168.240.2/24 behind a > pfSense-Firewall (192.168.240.1) and dynamic IP allocation > * WAN2: public DSL uplink with static IP address > * LAN: 172.16.0.0/24 > > WAN1 is the primary (fast) internet uplink for the network, WAN2 is only used > for static routes and manual fail-over. > > To access WAN1 a client has to connect to a 802.11x-enabled WiFi and will > receive an IP for 192.168.240.0/24. > To access WAN2 a client can contact the static IP. > > Goal for the VPN: the users should be able to access LAN from both WAN-ports. > I was able to setup two simple configurations for both (see below), but I > have to add a static route for the WAN2-roadwarriors to allow correct routing. > > My question: are there any configuration combinations (route-based vpn, > custom scripts, etc.) that allow the correct routing? > Many thanks for your help and recommendations. > > Cheers > > /M > > # ipsec version > Linux strongSwan U5.6.3/K4.9.79-UBNT > > > > --------------------------- > ipsec.conf: > config setup > uniqueids=no > strictcrlpolicy=yes > > ca myca > cacert=/config/user-data/ipsec.d/cacerts/my_CA.crt > auto=add > > conn vpn-base > keyexchange=ikev2 > dpdaction=clear > dpddelay=60s > leftid="..." > leftsubnet=172.16.0.0/24 > leftcert=/config/user-data/ipsec.d/certs/my.crt > leftsendcert=always > leftfirewall=yes > right=%any > rightsourceip=192.168.200.10-192.168.200.30 > rightdns=172.16.0.1 > rightauth=pubkey > > > conn WAN1 > also=vpn-base > left=192.168.240.2 > auto=add > > conn WAN2 > also=vpn-base > left=XXX.XXX.142.228 > auto=add > --------------------------- > > --------------------------- > # ip xfrm policy > src 172.16.0.0/24 dst 192.168.200.10/32 > dir out priority 371327 > tmpl src XXX.XXX.142.228 dst YYY.YYY.243.68 > proto esp spi 0xc68d7927 reqid 1 mode tunnel > src 192.168.200.10/32 dst 172.16.0.0/24 > dir fwd priority 371327 > tmpl src YYY.YYY.243.68 dst XXX.XXX.142.228 > proto esp reqid 1 mode tunnel > src 192.168.200.10/32 dst 172.16.0.0/24 > dir in priority 371327 > tmpl src YYY.YYY.243.68 dst XXX.XXX.142.228 > proto esp reqid 1 mode tunnel > --------------------------- > > --------------------------- > # ip route > default via 192.168.240.2 dev eth1 proto zebra > YYY.YYY.0.0/12 via XXX.XXX.142.228 dev pppoe0 proto zebra > --------------------------- > >
signature.asc
Description: OpenPGP digital signature
