Strongswan IPSEC specific rightsubnet

kramnitsuj

6/19/24, 6:00 AM

I have strongswan ipsec setup installed in ubuntu OS. I have static public ip 103.x.x.x and vpn clients subnet 10.100.100.2/24. I have 2 clients with ubuntu OS. I was able to ping client 1 to client 2 and vice versa and they have 103.x.x.x public ip. I want to limit my rightsubnet to 10.100.100.2/24 only. When I changing rightsubnet in clients from 0.0.0.0/0 to 10.100.100.2/24, the connection is established but when I run curl https://checkip.amazonaws.com, the returned IP is the client public IP vs the server public IP (expected). What will be the correct config with my use case?

here's my server config:

server config

client config:

client config

0 + 3

ipsec

strongswan

user1686

6/19/24, 6:26 AM

Isn't this completely normal? You're talking to the server at checkip.amazonaws.com whose address is _not_ within the rightsubnet, so of course it won't go over the VPN because that's what you wanted?

kramnitsuj

6/19/24, 7:12 AM

okay, thanks for the reply and sorry for noob question. is it possible to allow all traffic (0.0.0.0/0) but I want this specific subnet that won't go over the VPN (sample 172.22.0.0/24)

ecdsa

6/19/24, 7:55 AM

Yes, e.g. via [bypass/passthrough policies](https://docs.strongswan.org/docs/5.9/config/quickstart.html#_passthroughbypass_policies).

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Strongswan IPSEC specific rightsubnet

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.