At my end I have a StrongSwan installation, connecting to an IPSec VPN hosted by an OpenBSD box running stock isakmpd. The OpenBSD box already hosts multiple other associations, but the StrongSwan box is a new client.
The credentials I have (an x509 certificate) have successfully be used on a Windows box with TheGreenBow as a client, and I've nearly got it working with StrongSwan. It successfully raises a connection and organises a security association. However, no traffic is actually flowing over it – and it doesn't appear to be using the value set under leftsourceip. ipsec statusall gives the following:
vpn{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 25 minutes
vpn{1}: 192.168.1.6/32 === 172.17.1.0/24
With 192.168.1.6 being my local IP. leftsourceip is set to 172.18.1.97. My understanding is that 192.168.1.6/32 displayed by the status command should actually be 172.18.1.97/32 – almost like it's ignoring the value set?
Is there anything else that might be causing an issue?
Best Answer
leftsourceipis only used for dynamic assignment of configuration attributes (including IP addresses) via mode config or IKEv2 configuration payloads. strongSwan won't install that address locally if mode config is not used. The strongSwan wiki has more on this.If you want to use a specific IP address inside the tunnel, just install it on one of the local interfaces (could even be
lo). Then use that address in yourleftsubnetsetting e.g.leftsubnet=172.18.1.97/32.