https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
According to strongSwan documentation rightsubnet with multiple network addresses only works with IKEv2. There is a common (?) workaround, to set up multiple connections, all using the same SA.
Our scenario is that we use a Vigor 2860 as the company VPN gateway where all home offices etc connect to.
If I setup multiple connections in strongSwan I would need to define multiple LAN-to-LAN profiles in the Vigor. Depending on the home offices to connect this would exceed the number of profiles.
Is there another workaround to achieve traffic to a 2nd subnet being sent through the tunnel? (Routing? NATing?)
Thanks in advance.
Best Answer
If you only need resources behind Vigor available for VPN access from dial-in clients, you should use NAT on the client side when connecting to the gateway, and likely use L2TP/IPsec in transport mode to set up connections. This way your home offices' gateways would connect to the central hub, get IP addresses from the pool configured in xl2tpd, and be able to access resources in same VPN or other routed networks.
If you need to link any two home offices via these VPNs, perhaps it'll be better if you use a different hub endpoint than Vigor, up to another Strongswan installation with VPN passthrough enabled on Vigor for that machine, and not bother about that device's profile limits.