subnet

StrongSwan配置多个子网

by

ipsec.conf方式

conn myikesettings
    keyexchange=ikev1
    left=10.0.0.1
    right=10.0.0.2
    leftcert=mycert.pem
    rightcert=othercert.oem
    ike=aesgcm16-prfsha256-modp3072!
    esp=aesgcm16-modp3072!
    auto=add
 
conn sa_1
    leftsubnet=192.168.1.0/24
    rightsubnet=192.168.51.0/24
    also=myikesettings
 
conn sa_2
    leftsubnet=192.168.2.0/24
    rightsubnet=192.168.52.0/24
    also=myikesettings
1
2
3
4

ipsec restart
ipsec reload
ipsec up sa_1
ipsec up sa_2

swanctl方式

connections {
	host-host {
		...
		children {
			host-host1 {
				local_ts=10.1.0.0/24
				remote_ts=10.2.0.0/24
				...
			}
			host-host2 {
				local_ts=10.1.0.0/24
				remote_ts=10.2.0.0/24
				...
			}
		}
	}
}
1
2
3
4

charon &
swanctl --load-all --clear
swanctl --initiate --child host-host1
swanctl --initiate --child host-host2

refer to:
https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Multiple-subnets-per-SA