cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lotic Lists" <li...@lotic.com.br>
Subject Workaround for StrongSwan with several rightsubnet's - ikev1
Date Fri, 18 Jan 2019 19:40:13 GMT
Hi all

 

After upgrading ACS from 4.9.3 (openswan) to 4.11.2 (strongswan), all VPNs
with multiple networks have stopped working. Only one of the networks
declared in the encryption domain passed traffic.

 

rightsubnet=192.168.198.0/23,192.168.208.0/23,192.168.170.0/23,192.168.234.0
/23,192.168.69.0/24

I changed the configuration manually by creating different Child SAs, one
for each network, now all networks work.

https://lists.strongswan.org/pipermail/users/2015-November/008966.html



Example:

#conn for vpn-4.3.2.1

conn vpn-4.3.2.1

left=1.2.3.4

leftsubnet=192.168.101.0/24

right=4.3.2.1

type=tunnel 

 authby=secret 

 keyexchange=ike

ike=aes128-sha1-modp1024

ikelifetime=1h 

 esp=aes128-sha1-modp1024

lifetime=8h 

 keyingtries=2

auto=start

forceencaps=no

dpddelay=30

dpdtimeout=120

dpdaction=restart

 

conn net-192.168.198.0

also=vpn-4.3.2.1

rightsubnet=192.168.198.0/23

auto=start

 

conn net-192.168.208.0

also=vpn-4.3.2.1

rightsubnet=192.168.208.0/23

auto=start

 

conn net-192.168.170.0

also=vpn-4.3.2.1

rightsubnet=192.168.170.0/23

auto=start

 

conn net-192.168.234.0

also=vpn-4.3.2.1

rightsubnet=192.168.234.0/23

auto=start

 

conn net-192.168.69.0

also=vpn-4.3.2.1

rightsubnet=192.168.69.0/24

auto=start

 

Issue: https://github.com/apache/cloudstack/issues/3138

 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message