I was more asking about the host to host transport mode and not tunneling. On May 26, 2015 11:08 PM, "Paul Wouters" <[email protected]> wrote:
> On Tue, 26 May 2015, Brandon Enochs wrote: > > Isn't the subnet extraneous in that example since the right IP is fully >> specified? >> > > the diagram is like: > > [leftsubnet -[left] ----internet---[right]----[rightsubnet] > > Your IPsec gateway IP's are left= and right=. If you are building a > tunnel that should cover more than just the gateways itself, so a > subnet to subnet tunnel, you need to specify that via leftsubnet= > and rightsubnet= > > Remember IPsec tunnels are not virtual wires, you cannot just "route" > anything in to them. You need to tell exactly what src-dst of packets > are allowed to go through. > > Paul > > On May 26, 2015 11:04 PM, "Paul Wouters" <[email protected]> wrote: >> On Tue, 26 May 2015, Brandon Enochs wrote: >> >> Are IPv6 host to host connections with right specified as a >> subnet supported? >> >> >> Yes, for example: >> >> ipsec.conf: >> >> conn ipv6 >> left=2001:db8:1:2::45 >> leftid="@west" >> right=2001:db8:1:2::23 >> rightsubnet=2001:db8:0:2::/64 >> rightid="@east" >> auto=ondemand >> authby=secret >> >> ipsec.secrets: >> >> 2001:db8:1:2::45 2001:db8:1:2::23 : PSK "secret" >> >> If your endpoints (left/right) are IPv4, and your subnet is IPv6, >> then >> you need a leftsubnet as well (with an ipv6 range) because both >> need to >> be of the same IP address family, and you need to add >> connaddrfamily=6 >> >> Paul >> >> >> >>
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
