[Swan] Android native VPN split tunneling howto : the peer proposed: 0.0.0.0/0:0/0

Anthony Alba ascanio.alba7 at gmail.com
Thu May 7 07:52:00 EEST 2015


Hello,

Using libreswan 3.12 with the native Android VPN client.

I am using the example in
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH

When I try to narrow the  leftsubnet I get

cannot respond to IPsec SA request because no connection is known for
0.0.0.0/0===10.11.3.41
the peer proposed: 0.0.0.0/0:0/0 -> 10.231.247.1/32:0/0

is there a way to handle this situation?

The Android VPN client has an Advanced option which allows me to
configure split tunneling but I would prefer it to be handled by the
server side.

"The split tunneling directive will be sent automatically if the xauth
server side has configured a network other than 0.0.0.0/0"


conn xauth-rsa
    authby=rsasig
    pfs=no
    auto=add
    rekey=no
    left=10.11.3.41
    leftcert=xxxx
    leftid=@xxxx
    leftsendcert=always
    leftsubnet=192.168.100.0/24
    rightaddresspool=10.231.247.1-10.231.247.254
    right=%any
    rightid=%fromcert
    rightrsasigkey=%cert
    modecfgdns1=192.168.100.15
    leftxauthserver=yes
    rightxauthclient=yes
    leftmodecfgserver=yes
    rightmodecfgclient=yes
    modecfgpull=yes
    xauthby=alwaysok
    ike-frag=yes

Anthony


More information about the Swan mailing list