Update docs
- Re-add split tunneling instructions for multiple subnets,
which were previously removed in 5525c40
.
Ref: https://github.com/hwdsl2/docker-ipsec-vpn-server/issues/456
This commit is contained in:
parent
e2cad5c7b8
commit
963902e198
@ -297,9 +297,14 @@ IPsec/XAuth ("Cisco IPsec") 模式:启用 VPN 分流 (split tunneling)
|
||||
下面的示例 **仅适用于** IPsec/XAuth ("Cisco IPsec") 模式。这些命令必须用 `root` 账户运行。
|
||||
|
||||
1. 编辑 VPN 服务器上的 `/etc/ipsec.conf`。在 `conn xauth-psk` 小节中,将 `leftsubnet=0.0.0.0/0` 替换为你想要 VPN 客户端通过 VPN 隧道发送流量的子网。例如:
|
||||
对于单个子网:
|
||||
```
|
||||
leftsubnet=10.123.123.0/24
|
||||
```
|
||||
对于多个子网(使用 `leftsubnets`):
|
||||
```
|
||||
leftsubnets="10.123.123.0/24,10.100.0.0/16"
|
||||
```
|
||||
1. **(重要)** 重启 IPsec 服务:
|
||||
```
|
||||
service ipsec restart
|
||||
@ -314,9 +319,14 @@ IKEv2 模式:启用 VPN 分流 (split tunneling)
|
||||
下面的示例 **仅适用于** IKEv2 模式。这些命令必须用 `root` 账户运行。
|
||||
|
||||
1. 编辑 VPN 服务器上的 `/etc/ipsec.d/ikev2.conf`。在 `conn ikev2-cp` 小节中,将 `leftsubnet=0.0.0.0/0` 替换为你想要 VPN 客户端通过 VPN 隧道发送流量的子网。例如:
|
||||
对于单个子网:
|
||||
```
|
||||
leftsubnet=10.123.123.0/24
|
||||
```
|
||||
对于多个子网(使用 `leftsubnets`):
|
||||
```
|
||||
leftsubnets="10.123.123.0/24,10.100.0.0/16"
|
||||
```
|
||||
1. **(重要)** 重启 IPsec 服务:
|
||||
```
|
||||
service ipsec restart
|
||||
|
@ -285,7 +285,7 @@ If you want the rules to persist after reboot, you may add these commands to `/e
|
||||
|
||||
## Split tunneling
|
||||
|
||||
With split tunneling, VPN clients will only send traffic for a specific destination subnet through the VPN tunnel. Other traffic will NOT go through the VPN tunnel. This allows you to gain secure access to a network through your VPN, without routing all your client's traffic through the VPN. Split tunneling has some limitations, and is not supported by all VPN clients.
|
||||
With split tunneling, VPN clients will only send traffic for specific destination subnet(s) through the VPN tunnel. Other traffic will NOT go through the VPN tunnel. This allows you to gain secure access to a network through your VPN, without routing all your client's traffic through the VPN. Split tunneling has some limitations, and is not supported by all VPN clients.
|
||||
|
||||
Advanced users can optionally enable split tunneling for the [IPsec/XAuth ("Cisco IPsec")](clients-xauth.md) and/or [IKEv2](ikev2-howto.md) modes. Expand for details. IPsec/L2TP mode does not support this feature (except on Windows, see below).
|
||||
|
||||
@ -296,10 +296,15 @@ IPsec/XAuth ("Cisco IPsec") mode: Enable split tunneling
|
||||
|
||||
The example below **ONLY** applies to IPsec/XAuth ("Cisco IPsec") mode. Commands must be run as `root`.
|
||||
|
||||
1. Edit `/etc/ipsec.conf` on the VPN server. In the section `conn xauth-psk`, replace `leftsubnet=0.0.0.0/0` with the subnet you want VPN clients to send traffic through the VPN tunnel. For example:
|
||||
1. Edit `/etc/ipsec.conf` on the VPN server. In the section `conn xauth-psk`, replace `leftsubnet=0.0.0.0/0` with the subnet(s) you want VPN clients to send traffic through the VPN tunnel. For example:
|
||||
For a single subnet:
|
||||
```
|
||||
leftsubnet=10.123.123.0/24
|
||||
```
|
||||
For multiple subnets (use `leftsubnets` instead):
|
||||
```
|
||||
leftsubnets="10.123.123.0/24,10.100.0.0/16"
|
||||
```
|
||||
1. **(Important)** Restart the IPsec service:
|
||||
```
|
||||
service ipsec restart
|
||||
@ -313,10 +318,15 @@ IKEv2 mode: Enable split tunneling
|
||||
|
||||
The example below **ONLY** applies to IKEv2 mode. Commands must be run as `root`.
|
||||
|
||||
1. Edit `/etc/ipsec.d/ikev2.conf` on the VPN server. In the section `conn ikev2-cp`, replace `leftsubnet=0.0.0.0/0` with the subnet you want VPN clients to send traffic through the VPN tunnel. For example:
|
||||
1. Edit `/etc/ipsec.d/ikev2.conf` on the VPN server. In the section `conn ikev2-cp`, replace `leftsubnet=0.0.0.0/0` with the subnet(s) you want VPN clients to send traffic through the VPN tunnel. For example:
|
||||
For a single subnet:
|
||||
```
|
||||
leftsubnet=10.123.123.0/24
|
||||
```
|
||||
For multiple subnets (use `leftsubnets` instead):
|
||||
```
|
||||
leftsubnets="10.123.123.0/24,10.100.0.0/16"
|
||||
```
|
||||
1. **(Important)** Restart the IPsec service:
|
||||
```
|
||||
service ipsec restart
|
||||
|
Loading…
Reference in New Issue
Block a user