On Mon, 25 Jul 2016, Sergey Mihailov wrote:
---
conn mytunnel
[email protected]
left=192.168.121.17
leftsourceip=192.168.129.254
leftsubnets={192.168.129.0/24 192.168.128.0/24} # <--- ? (subnets)
Do not use XXXsourceip= when using XXXsubnetS= because the sourceip can only
refer to one submit.
Why are you not using 192.168.128/23 insteaf of 192.168.129.0/24 +
192.168.128.0/24 ?
conn 129-exclude
left=0.0.0.0 # <---- ? (left)
leftsubnet=192.168.129.0/24
right=192.168.129.254
rightsubnet=192.168.129.0/24
authby=never
type=passthrough
auto=route
conn 128-exclude
left=192.168.128.250
leftsubnet=192.168.128.0/24
right=0.0.0.0 # <----- ? (right)
rightsubnet=192.168.128.0/24
authby=never
type=passthrough
auto=route
Seems okay,
No really works in CentOS 6.8 + updates.
I see : https://libreswan.org/wiki/Subnet_extrusion
...
conn branch1 # <--- ? ( branch1 )
left=1.2.3.4
leftid=@headoffice
leftsubnet=0.0.0.0/0
leftrsasigkey=0sA[...]
#
right=10.11.12.13
rightid=@branch2 # <---- ? ( branch2 )
righsubnet=10.0.1.0/24
rightrsasigkey=0sAYYYY[...]
#
auto=start
authby=rsasigkey
conn passthrough
left=1.2.3.4 # <--- ? ( from headoffice)
The passthrough goes on your branch office. In this case left= is the
branch and right is the world. So left should be a local ip on your
branch IPsec gateway. You could probably use left=%defaultroute.
right=0.0.0.0
leftsubnet=10.0.1.0/24 # <--- ? ( from brach2 )
rightsubnet=10.0.1.0/24
Yes left and right subnet are the same. It should be the local network.
Once you have the real ipsec connection from your local networks to
"everything" installed, you need to exclude traffic from the local
network to the local network to remain local and not be sent to the
remote location. So this is that override.
authby=never
type=passthrough
auto=route
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
