On Tue, 26 May 2015, Brandon Enochs wrote:
Isn't the subnet extraneous in that example since the right IP is fully
specified?
the diagram is like:
[leftsubnet -[left] ----internet---[right]----[rightsubnet]
Your IPsec gateway IP's are left= and right=. If you are building a
tunnel that should cover more than just the gateways itself, so a
subnet to subnet tunnel, you need to specify that via leftsubnet=
and rightsubnet=
Remember IPsec tunnels are not virtual wires, you cannot just "route"
anything in to them. You need to tell exactly what src-dst of packets
are allowed to go through.
Paul
On May 26, 2015 11:04 PM, "Paul Wouters" <[email protected]> wrote:
On Tue, 26 May 2015, Brandon Enochs wrote:
Are IPv6 host to host connections with right specified as a subnet
supported?
Yes, for example:
ipsec.conf:
conn ipv6
left=2001:db8:1:2::45
leftid="@west"
right=2001:db8:1:2::23
rightsubnet=2001:db8:0:2::/64
rightid="@east"
auto=ondemand
authby=secret
ipsec.secrets:
2001:db8:1:2::45 2001:db8:1:2::23 : PSK "secret"
If your endpoints (left/right) are IPv4, and your subnet is IPv6, then
you need a leftsubnet as well (with an ipv6 range) because both need to
be of the same IP address family, and you need to add connaddrfamily=6
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
