Did you try setting [email protected]
Sent from my iPhone > On Nov 20, 2014, at 15:44, Ted Timmons <[email protected]> wrote: > > Hi. I'm trying to set up swan. Networking has always been my weak > skillset. I'm posting the config at the bottom, but know this is for > AWS EC2 VPCs, I've disabled source/dest check, the sysctl items are > correct. The idea is for the VPN to be used to connect to 172.xx IP > addresses, and the VPN to not interfere otherwise. > > For testing, I'm using (very weak) PSK. It works to get the VPN up so > I can get the routing sorted. > > I'd like the networking configuration to be on the swan side only. I > know I need to use rightaddresspool to hand out a VPN IP to my road > warriors, but that means I can't use rightsubnet- which is what seems > correct to limit to the 172.xx range. (yes, it's slightly more > specific than 172, using shorthand). > > Here's the config. > > $ cat /etc/ipsec.conf > version 2.0 > > config setup > nat_traversal=yes > > virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.42.0/24 > protostack=netkey > > conn xauth-psk > authby=secret > pfs=no > auto=add > rekey=no > forceencaps=yes > left=172.31.xx.yy # this is my server's internal IP and is correct > rightaddresspool=172.31.47.1-172.31.47.254 > right=%any > rightid=%fromcert > rightrsasigkey=%cert > modecfgdns1=172.31.0.2 > leftxauthserver=yes > rightxauthclient=yes > leftmodecfgserver=yes > rightmodecfgclient=yes > modecfgpull=yes > xauthby=alwaysok > ike-frag=yes > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
