DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Multiple VPN subnets and Strongswan

  • csedgbeer.siemens
  • Topic Author
  • Offline
  • New Member
  • New Member
More
01 Mar 2022 09:07 #1 by csedgbeer.siemens
Multiple VPN subnets and Strongswan was created by csedgbeer.siemens
Hi All

We have a few Drayteks of varying models, all with VPN's to Strongswan which work well. Trying to add additional subnets onto a VPN but keeps failing.

Have tried on the Draytek adding the extra subnet with and withouth the "Create SA for each subnet" , also in Strongswan have added the 2nd subnet to the main line as below (as an example)
rightsubnet=192.168.1.1,192.168.2.1

also added the 2nd subnet by creating an additional VPN connection entry which references the main entry then adds a 2nd subnet, example below

conn=draytel-2nd-subnet
also=mainvpn
rightsubnet=192.168.2.1

neither appear to work, the main vpn comes up but not with the 2nd subnet, wonder if anyone has tried this and got it working?

Thanks

Chris

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
01 Mar 2022 15:10 #2 by hornbyp
Replied by hornbyp on topic Re: Multiple VPN subnets and Strongswan

csedgbeer.siemens wrote:
neither appear to work, the main vpn comes up but not with the 2nd subnet, wonder if anyone has tried this and got it working?



[I've only used multiple subnets with the "More" option (Draytek-to-Draytek)...]

Have you seen: https://draytek.co.uk/support/guides/kb-vpn-multiplesa ?

Draytek wrote: To add access through the VPN for the second subnet, select the More and add the details of the second subnet. The "Create Phase 2 SA for each subnet does not need to be ticked unless one of the site is non-DrayTek router which requires any traffic to exactly match the IPSEC security association. If the device (eg a Cisco) requires traffic to match the security assocation then a Phase 2 SA must be created for each subnet. In this case, enable the Create Phase2 SA for each subnet.(IPsec) option.



So you may need to ascertain Strongswan's requirements first.

and

Draytek wrote: If Create Phase2 SA for each subnet.(IPsec) is unticked then [Connection Management] will show one VPN tunnel for the link and more subnets will be listed in the routing table. If the Create Phase2 SA for each subnet.(IPsec) is ticked then each subnet will appear in [Connection Management] with the same profile name.



Without the "Create Phase2..." option enabled, the entry in [Connection Management] doesn't change...

Are you sure it's not a Routing issue (maybe at the client, that's trying to access the new subnet)

Please Log in or Create an account to join the conversation.

  • csedgbeer.siemens
  • Topic Author
  • Offline
  • New Member
  • New Member
More
01 Mar 2022 16:23 #3 by csedgbeer.siemens
Replied by csedgbeer.siemens on topic Re: Multiple VPN subnets and Strongswan
thanks for the reply, think it's a draytek to strongswan thing, just need to find the right combination!

have also posted something similar on the strongswan forums

Please Log in or Create an account to join the conversation.