On Mon, 16 Jun 2014, Wolfgang Nothdurft wrote:
I was trying to configure mode config with multiple subnets.
The problem is that the connection with the second subnet can't connect (see
log and example config):
Jun 16 15:45:05 d1 pluto[27759]: "client/2x0"[1] 10.0.12.2 #1: cannot respond
to IPsec SA request because no connection is known for
192.168.11.0/24===10.0.11.2[MS+S=C]...10.0.12.2[+MC+S=C]===192.168.12.1/32
Should it be possible to use mode config with multiple subnets?
Yes it should be, but the server side code is still incomplete. You
need to send a CISCO_SPLIT_INC XAUTH attribute and then send multiple
"route objects". This code should be triggered when the client end is
not rightsubnet=0.0.0.0/0 but rightsubnets={ list of subnets }
On the client side, this already works (interops with Cisco). I can
provide you a log if it helps to see what you need to send.
And there seems to be an old bug also that rightsubnet needs to be set with
leftsubnets and vice versa.
This would be problematic if you'd use rightaddresspool instead of
rightsubnet on the server side.
Yes, that's a problem in the parser code in lib/libipsecconf/ being too
strict.
If you don't get to this, we can hopefully finish this for libreswan 3.10.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
