LibreSwan IKEv2 multiple left subnet for vpn splitting

Gian Lorenzo Abaño

1/30/24, 9:47 AM

I have built an IKEv2 VPN server.

The current config in /etc/ipsec.d/ikev2.conf is like this:

  conn ikev2-cp
  left=%defaultroute
  leftcert=58.xx.xx.xxx
  leftsendcert=always
  leftsubnet=192.168.1.0/18
  leftrsasigkey=%cert
  right=%any
  rightid=%fromcert
  rightaddresspool=192.168.43.10-192.168.43.250
  rightca=%same
  rightrsasigkey=%cert
  narrowing=yes
  dpddelay=30
  retransmit-timeout=300s
  dpdaction=clear
  auto=add
  ikev2=insist
  rekey=no
  pfs=no
  ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1
  phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-s>
  ikelifetime=24h
  salifetime=24h
  encapsulation=yes
  leftid=58.xx.xx.xxx
  modecfgdns="8.8.8.8 8.8.4.4"
  mobike=no

What I want to happen is all vpn client request from ip subnets 192.168.1.0/24 and 192.168.43.0/24 will only go through the vpn tunnel. other request, ip addresses not in that subnet will be connected directly and not from the vpn tunnel.

I tried:

leftsubnet=192.168.1.0/24,192.168.43.0/24

This still don't work. It makes both IP subnets unreachable.

I also tried this one:

leftsubnet={192.168.1.0/24, 192.168.43.0/24}

I even tried the plural form:

leftsubnets={192.168.1.0/24, 192.168.43.0/24}

but the two subnets is still unreachable.

It only works when I provide only 1 leftsubnet

leftsubnet=192.168.1.0/18

The problem with this is request from 192.168.1.1 - 192.168.63.254 will go through the vpn tunnel.

I only want 192.168.1.0/24 and 192.168.43.0/24 to go through the tunnel.

Any workaround or fix for this problem?

266

0 + 1

ubuntu

vpn

ipsec

strongswan

libreswan

ecdsa

1/30/24, 1:01 PM

Does libreswan actually support multiple subnets (traffic selectors) per CHILD_SA? It might convert multiple subnets (via `leftsubnets`, i.e. the third syntax you tried) to distinct child configs. That is, the client would have to create a separate CHILD_SA for each subnet, like it was necessary with IKEv1. At least the [man page](https://libreswan.org/man/ipsec.conf.5.html) seems to indicate that: "If both a leftsubnets= and rightsubnets= are defined, all combinations of subnet tunnels will be established as IPsec tunnels." With IKEv2 a single CHILD_SA/tunnel would technically be enough.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: LibreSwan IKEv2 multiple left subnet for vpn splitting

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.