Issue #2529
Multiple Private Subnets
Description
Hello,
I've got a question about the way StrongSwan handles multiple private subnets.
When specifying multiple subnets in the config e.g:
conn test-vpn1
<other lines of config>
rightsubnet=192.168.1.0/24,192.168.2.0/24
type=tunnel
auto=route
dpdaction=hold
....I've found that an SA will only establish between one of the subnets at a time rather than both. To get both to come up I need to split the subnets out into different connections e.g:
conn test-vpn1
<other lines of config>
rightsubnet=192.168.1.0/24
type=tunnel
auto=route
dpdaction=hold
conn test-vpn2
also=test-vpn1
rightsubnet=192.168.2.0/24
I'm just wondering if this is the way it's supposed to work or if I'm missing something?
Many thanks,
Stuart
History
#1 Updated by Tobias Brunner over 7 years ago
- Status changed from New to Feedback
If you are using IKEv1, please see FAQ.
#2 Updated by Stuart Willson over 7 years ago
Hi Tobias,
No, this is with IKEv2 tunnels.
Kind regards,
Stuart
#3 Updated by Tobias Brunner over 7 years ago
Then provide more information.
#4 Updated by Stuart Willson over 7 years ago
Seems to happen when connecting to a Cisco ASA as the remote device. Works ok when testing Strongswan to Strongswan. I don't have an ASA to test this with at the moment. Feel free to close this ticket.
#5 Updated by Tobias Brunner over 7 years ago
- Category set to interoperability
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to Invalid
Seems to happen when connecting to a Cisco ASA as the remote device.
That explains it. Cisco ASA's currently can't negotiate more than one traffic selector (subnet) per CHILD_SA for IKEv2 (they enforce the IKEv1 paradigm).