On Tue, 12 May 2015, Bob Miller wrote:
I think I got it figured out. In the hopes it is useful to others, this is
what I did:
Thanks, I'll put this up on the Wiki!
It seems that routing is a different game here. the way I used to do it was
set the leftsubnet to be that of the remote network, then use iptables to do
FORWARD between the networks, and then a NAT rule to allow internet access.
I found that using this config, the leftsubnet *also* has to be set to
0.0.0.0/0 in order to allow internet traffic.
I am not really clear on the narrowing function, I think I need to learn more
on that, but that will be for another day. Thanks again for the pointer,
Paul...
Narrowing basically lets a client ask for a subnet, and the server to
respond with a narrowed set of that. So you ask for 0.0.0.0/0 and you
get say 10.0.0.0/8.
Gory details are at https://tools.ietf.org/html/rfc7296#section-2.9
for a quick overview see "narrowing" in the "man ipsec.conf"
documentation.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
