Am 16.06.2014 18:35, schrieb Paul Wouters:
On Mon, 16 Jun 2014, Wolfgang Nothdurft wrote:
I was trying to configure mode config with multiple subnets.
The problem is that the connection with the second subnet can't
connect (see log and example config):
Jun 16 15:45:05 d1 pluto[27759]: "client/2x0"[1] 10.0.12.2 #1: cannot
respond to IPsec SA request because no connection is known for
192.168.11.0/24===10.0.11.2[MS+S=C]...10.0.12.2[+MC+S=C]===192.168.12.1/32
Should it be possible to use mode config with multiple subnets?
Yes it should be, but the server side code is still incomplete. You
need to send a CISCO_SPLIT_INC XAUTH attribute and then send multiple
"route objects". This code should be triggered when the client end is
not rightsubnet=0.0.0.0/0 but rightsubnets={ list of subnets }
On the client side, this already works (interops with Cisco). I can
provide you a log if it helps to see what you need to send.
Ok, looking at the code there seems two things missing in the server
side code.
* a proper handling for the long attributes in modecfg_resp (maybe
modecfg_resp needs to be called twice - first for the normal attributes
and second for the long attributes)
* assembling the response with the configured subnets
Am I right?
At the moment we can live with only having one subnet, because most
setups will use 0.0.0.0/0 as local subnet.
Maybe I find some time after finishing the libreswan migration, so yes
you can send me the log.
And there seems to be an old bug also that rightsubnet needs to be set
with leftsubnets and vice versa.
This would be problematic if you'd use rightaddresspool instead of
rightsubnet on the server side.
Yes, that's a problem in the parser code in lib/libipsecconf/ being too
strict.
If you don't get to this, we can hopefully finish this for libreswan 3.10.
We generate multiple conn sections for multiple subnets at the moment
and I don't know if we benefit from switching to one conn with subnets.
So maybe I leave it as it is. ;)
Wolfgang
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
