Openswan connecting to multiple right subnets not working

Question

I'm trying to use Openswan (version 2.6.37) to connect an IPsec VPN from my local network to a remote site. Everything works fine when I just want to connect to a single subnet on the remote site. However, the remote site also has an extra subnet that I want to access.

This is my configuration:

conn myConn
        type=tunnel
        left=192.168.139.14
        leftsubnet=192.168.139.0/24
        leftxauthclient=yes
        right=X.X.X.X
        rightsubnet=172.16.1.0/24
        keyexchange=ike
        auth=esp
        authby=secret
        phase2alg=3des-sha1
        pfs=yes

When I replace rightsubnet with rightsubnets, like so:

rightsubnets={172.16.1.0/24 192.168.3.0/24}

...then the connection is created successfully but only the last subnet in the list is available. Any attempts to ping anything on the 172.16.1.0 subnet fails. If I swap the order of the subnets around then I can ping 172.16.1.X but can't ping anything on the other subnet. It's as if Openswan is only using the last subnet in the list to create a connection.

Am I doing something wrong here?

A little bit of extra information that I neglected to mention (although I'm not sure it's relevant): My Openswan client is behind a router using NAT and I have nat_traversal=yes in my ipsec.conf file.

Do you use VLANs? I had almost exactly the same problem and the issue was a VLAN error — , Jan 19 '13 at 02:32
Have you tried making two security associations, one for each subnet? — gimmesudo, Jan 19 '13 at 11:10
@Tyke, no I'm not using VLANs. My OpenSwan client is behind a router using NAT though - I've updated the question to reflect that. — FixMaker, Jan 23 '13 at 10:32
@gimmesudo: I tried duplicating my configuration above for a new connection (`connection myConn2`), with everything identical except for the `rightsubnet`. When I use `ipsec auto --up myConn` I can ping 172.168.1.X. When I try to bring up the second connection (`ipsec auto --up myConn2`), I can ping 192.168.3.X but the first connection dies completely. — FixMaker, Jan 23 '13 at 11:16
For conneting as a client on many IPSec routers (like Cisco), You'll simplier to use [`vpnc`](http://www.unix-ag.uni-kl.de/~massar/vpnc/) ! — F. Hauri - Give Up GitHub, Mar 02 '13 at 17:13
Facing the exact same issue. Did you fix this and are you able to recall what the issue was? — Kibet, Jan 14 '16 at 09:38

score 3 · Answer 1 · edited May 11 '13 at 07:15

3

Looks like the usual separator for the multiple subnets is a comma, but at least openswan-2.6.32 works with spaces too.

Interesting information should be logged to /var/log/secure which could contain clues why it isn't working. Also post the output of ip x s sh and ip x p sh.

edited May 11 '13 at 07:15

Anthon

78,313
42
165
222

answered May 11 '13 at 06:58

skarap

221
1
4

1

If you got here trying to switch from single host to multiple hosts, pay attention that the key for multiple subnets is in plural (`rightsubnet*s*`) instead of singular. – mgarciaisaia Jun 10 '19 at 20:43

score 1 · Answer 2 · edited Feb 17 '20 at 17:14

1

If you use rightsubnets you have to use leftsubnets as well, not leftsubnet. Even if there's only one subnet on that side. The ipsec.conf man page doesn't do a great job of explaining this, but it's there.

I had the similar problems for months and just found the answer in openswan multiple subnets routing issue.

edited Feb 17 '20 at 17:14

Paulo Tomé

3,754
6
26
38

answered Jun 16 '15 at 16:48

exor314

11
2

1

Not the case. leftsubnets={singletone}, should be identical to leftsubnet=. (I wrote the code) – mcr Feb 17 '17 at 17:27
This was the solution that worked for me using libeswan 3.15. My left had a single subnet and the right had several. If I configured the left using leftsubnet= and the right using rightsubnets={} then only the last rightsubnet actually connected. Once I configured the left to use leftsubnets={} with the one subnet, it connected to all. – Adam Plumb Aug 03 '17 at 16:51

score 1 · Answer 3 · answered Sep 03 '15 at 00:38

1

It looks like there's a bug in OpenSwan where the subnets list needs an extra comma at the end to work correctly. Try:

rightsubnets={172.16.1.0/24,192.168.3.0/24,}

Note the extra comma at the end.

answered Sep 03 '15 at 00:38

Ryan Shillington

187
4

That is not the case, none of the test cases or examples have an extra comma. – mcr Feb 17 '17 at 17:28

score 1 · Answer 4 · answered Jan 30 '13 at 15:55

1

Make conn section configuration for each subnets on BOTH endpoints of the tunnel. Only one of them (the first started) will start a SA negotiation, the second (or more) will only make a new SPD of the further subnets.

answered Jan 30 '13 at 15:55

Endre Szabo

182
3

Unfortunately I can't do this as the remote endpoint is a third-party FortiGate router (not running OpenSwan). I'm starting to wonder if the problem may be related to the router not being able to cope with multiple tunnels between the same endpoints. – FixMaker Feb 04 '13 at 14:29

score -3 · Answer 5 · edited May 15 '15 at 11:50

-3

It should be like this

rightsubnets={172.16.1.0/24,192.168.3.0/24}

Use a comma (,) and not a space to separate entries.

edited May 15 '15 at 11:50

terdon

234,489
66
447
667

answered May 15 '15 at 08:07

Madhu

1

1

That seems to be what the answer from two years ago is saying. – G-Man Says 'Reinstate Monica' May 15 '15 at 08:20

Openswan connecting to multiple right subnets not working

5 Answers5