Strongswan multiple right subnets

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi! I've used openwrt and strongswan several times to create a site-to-site VPN. So far so good.

However, this time I need so specify two right subnets, eg.

option 'remote_subnet' '192.168.0.0/24,10.0.0.0/24'

which correctly generates:

rightsubnet=192.168.0.0/24,10.0.0.0/24

But I can't ping anything. If I remove the 2 subnets, and just use one, then I can ping remotes hosts on that subnet.

Help. Any ideas?

2

Update.

When I have the two subnets configured, logread shows:

Mon Jan 27 12:50:10 2020 authpriv.info ipsec: 04[CFG] unable to install policy 192.168.0.0/24 === 192.168.2.0/24 in for reqid 2, the same policy for reqid 1 exists
Mon Jan 27 12:50:10 2020 daemon.info ipsec: 04[CFG] unable to install policy 192.168.0.0/24 === 192.168.2.0/24 in for reqid 2, the same policy for reqid 1 exists    
Mon Jan 27 12:50:10 2020 authpriv.info ipsec: 04[CFG] unable to install policy 192.168.0.0/24 === 192.168.2.0/24 fwd for reqid 2, the same policy for reqid 1 exists
Mon Jan 27 12:50:10 2020 daemon.info ipsec: 04[CFG] unable to install policy 192.168.0.0/24 === 192.168.2.0/24 fwd for reqid 2, the same policy for reqid 1 exists
Mon Jan 27 12:50:10 2020 authpriv.info ipsec: 04[CFG] unable to install policy 192.168.2.0/24 === 192.168.168.0/24 out for reqid 2, the same policy for reqid 1 exists
Mon Jan 27 12:50:10 2020 daemon.info ipsec: 04[CFG] unable to install policy 192.168.2.0/24 === 192.168.168.0/24 out for reqid 2, the same policy for reqid 1 exists

Suggesting that it's trying to do 192.168.0.0 twice, and 10.0.0.0 not at all???

3

Hi.

For my l2l VPNs w/ multiple right & left subnets I'm declaring bellow in /etc/ipsec.conf:

conn warehouse-n32
leftsubnet=192.168.167.32/27
rightsubnet=192.168.172.0/28

conn local-net-192.168.167.32
also=warehouse-n32
leftsubnet=192.168.167.32/27

conn remote-net-192.168.172.16
also=warehouse-n32
rightsubnet=192.168.172.16/28

4

Thanks! Yup, I tried that, but that depends on the other side having multiple 'conn's configured, and in this case they don't, and they can't change it as it's in use by lots of their customers/partners.