If I could aware a star for disinformation, this one would get it. 1) The article about interoperability with Windows explains how to get routes working for crappy Windows clients. 2) As Anvar explained, leftsubnet sets the local traffic selector, which defines which destinations are allowed by the IPsec policies. Set leftsubnet=0.0.0.0/0. 3) You can not only allow certain protocols through the tunnel without blackholing all other protocols, if the sender uses route basec IPsec. 4) You likely use libipsec. Stop doing that, it sucks. It is likely the cause of Android and other clients working, but not Windows with your wrong configuration, if you tested Android and other clients with leftsubnet=[IP]/32.
Kind regards Noel On 29.09.2017 12:23, Anvar Kuchkartaev wrote: > I don't think the windows is able to obtain routes from IKE vpn server. > Windows must be using 0.0.0.0/0 route to your VPN server and sending all > traffic to it but if you configured left=[IP]/32 from VPN server side then > all other traffic than that IP not authorised to pass through tunnel. I don't > know how to configure VPN routes in windows and I would rather recommended to > configure router standing between windows and internet and share the tunnel > of router with other devices connected to it. > > Anvar Kuchkartaev > [email protected] > *From: *Aleksey Kravchenko > *Sent: *viernes, 29 de septiembre de 2017 12:08 p.m. > *To: *Noel Kuntze; [email protected] > *Subject: *Re: [strongSwan] Strongswan. Address definition/Routing. > > > Hello again! I need your help. > > The problem is that the traffic through VPN is sent only when accessing one > specific IP. I pointed this IP to leftsubnet = IP / 32 and everything works > well for linux, macos, android, ios. But Windows in this case does not see > the Internet and only the address specified in leftsubnet is available to it. > > And is it still possible to specify specific ports? For example, you can only > take http and https through VPN. The protoport option did not help. > Thank you in advance! > > 2017-09-25 16:10 GMT+03:00 Aleksey Kravchenko <[email protected] > <mailto:[email protected]>>: > > Good. > Thank you, Noel. > > 2017-09-25 16:08 GMT+03:00 Noel Kuntze > <[email protected] > <mailto:[email protected]>>: > > Hi, > > No. As I previously wrote, this is a system intrinsic problem. > > Kind regards > > Noel > > On 25.09.2017 15:03, Aleksey Kravchenko wrote: > > Hello. I managed to solve the problem with routes on windows and > macos. For this purpose, a second white IP was used. > > p.s. Are there any ways or tricks to solve this problem with the > same IP address? > > > > 2017-09-14 11:03 GMT+03:00 Aleksey Kravchenko <[email protected] > <mailto:[email protected]> <mailto:[email protected] > <mailto:[email protected]>>>: > > > > Hello, Noel. Thanks for the answer. Unfortunately, there is no > way to bypass.As a solution we can use the second white IP for Strongswan, > and the web server on the 1st IP. > > > > 2017-09-13 22:17 GMT+03:00 Noel Kuntze > <[email protected] > <mailto:[email protected] > <mailto:noel.kuntze%[email protected]>>>: > > > > Hi, > > > > That is because Windows and MacOS implement crappy route > based IPsec which conceptually can not protect traffic to the IKE peer's > > address (unless policy based routing is used, which neither > Windows nor MacOS implement). > > > > Kind regards > > > > Noel > > > > On 13.09.2017 17:14, Aleksey Kravchenko wrote: > > > Hello.I need your advice. > > > The work of Strongswan + IKEv2 is configured. Everything > works fine (on iOS, macOS, windows, linux), but I noticed strange behavior in > VPN's work. There is a server on which Strongswan and Nginx are > installed.When you connect to the VPN and go to the site which is located in > the same place as the strongswan daemon, the nginx log shows different > addresses for connections. For instance:android / linux -> login from the > address issued by the VPN (for example, 192.168.1.2). > > > windows / macos -> login from the usual address (provider > address). > > > But if you go to the IP detection server, the result for > all devices is the same: you logged in from the VPN server.Maybe you have any > thoughts about this? Thank you! > > > > > > > > > >
signature.asc
Description: OpenPGP digital signature
