[Swan] Android native VPN split tunneling howto : the peer proposed: 0.0.0.0/0:0/0

Paul Wouters paul at nohats.ca
Thu May 7 22:25:30 EEST 2015


On Thu, 7 May 2015, Anthony Alba wrote:

> Using libreswan 3.12 with the native Android VPN client.
>
> I am using the example in
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv1_XAUTH
>
> When I try to narrow the  leftsubnet I get
>
> cannot respond to IPsec SA request because no connection is known for
> 0.0.0.0/0===10.11.3.41
> the peer proposed: 0.0.0.0/0:0/0 -> 10.231.247.1/32:0/0
>
> is there a way to handle this situation?

Unfortunately not.

The proper way is to leave that at 0.0.0.0 and actually send proper
ModeCFG route attributes to the client. Currently, we only support
those route attributes on the client side.

to support this, code would need to be changes to add a new config
options to specify the subnets for this (eg xauth-subnets=) and
for the server to send the ModeCFG payloads _and_ add the proper
IPsec SA's to the spd_route.

Paul


More information about the Swan mailing list