Skip to main content
roger_vasconcelos
roger_vasconcelos
New Member
October 23, 2020
Question

Strongswan IPsec - how to automatically set routes?

  • October 23, 2020
  • 2 replies
  • 8989 views

Hi there,

 

We have an IPsec Fortinet VPN IKEV1. The official Forticlient connects and set routes successfully on both Windows and macOS.

 

I'm trying to match the same setup using strongswan with Amazon Linux 2.

I'm able to login, but the routes can't be set up automatically. I have to manually add the network using a new 'conn' and  'also'.

 

So, how can I configure strongswan to configure routes as Forticlient does?

 

Bests,

 

conn connection01         type = tunnel         dpdaction = restart         keyexchange = ikev1         ikelifetime = 86400         keyingtries=%forever         ike = aes256-sha256-modp1536         esp = aes256-sha256-modp1536         aggressive = yes         right = forticlient.fqdn         rightsubnet = 10.0.0.0/24         rightfirewall = yes         rightid = %any         rightauth = psk         left = %defaultroute         leftsubnet=%dynamic,10.1.1.0/24         leftsourceip = %config4         leftdns = %config4         leftauth = psk         leftauth2 = xauth         xauth_identity = "<username>"         auto = start         compress = yes         modeconfig = pull         installpolicy = yes         fragmentation=yes         reauth = yes         forceencaps = no         mobike = no         dpdaction = restart         dpddelay = 10s         dpdtimeout = 60s         authby = secret conn sandbox         also = connection01         rightsubnet = 10.20.16.0/20

    2 replies

    sw2090
    SuperUser
    sw2090
    SuperUser
    October 23, 2020

    I am using Strongswan on Linux.

    Strongswan does not use your routing table. It does not add any routes.

    Instead it uses iptables to create forwarding rules for th etraffic. Works fine here.

     

    emnoc
    emnoc
    New Member
    October 23, 2020

    No it does not have to use iptable. I haven't ran iptables in a decade or so, fwiw and iptables has nothing todo with it. But you might want to disable iptables or firewalld temporary for the host-firewall ;)

     

    On the OP question what do you have in leftsubnet? That determines what split routes you send after authentication.

     

    Here's what we do ( we use 2 unique vpn IKE-IDs)

     

    We have a full-tunnel and split-tunnel profile sharing the parent forticlients .

     

     

    e.g 

     

    conn vpnclients left=%any right=%any

    rightid=%any

    ikelifetime=480m keylife=60m keyexchange=ikev1 authby=secret

    modeconfig=push ike=aes128-sha1-modp2048

    esp=aes128-sha1,aes128-sha256 

    auto=add

     

    conn split

    also=vpnclients leftid=@vpnsplit.socpuppets.com leftsubnet=10.1.1.0/24,10.1.2.0/24

    conn full

    also=vpnclients leftsubnet=0.0.0.0/0 leftid=@vpnfull.socpuppets.com

     

    Drop your ipsec.conf here and I 'll review and comment on it , but it should look something like the above.

     

     

    modified , my browser didn't show the configuration earlier. That cfg looks okay fwiw. So when your clients connect do you see phase2 status up for the clients?  

     

    Ken Felix

    Terms & ConditionsAccessibility statement