On Thu, 19 Jan 2017, Xinwei Hong wrote:
Thank you very much. After I enable IP forwarding and add sourceip, things are working now. The send_redirects/accept_redirects seems does not matter. Regarding sourceip, you mentioned. "Of course, if the IPsec server is just routing the entire /24 elsewhere, this does not apply." In my case, I do want route the entire /24 to remote. Can you confirm, sourceip is required even in this case?
the sourceip is required only if you want the ipsec gateway itself to talk to the remote subnet. Then it needs to be convinced to use the internal instead of external ip. If you are just routing it to another machine, then if you want to reach the remote subnet on the ipsec server, you would need another tunnel definition from the ipsec server itself to the remote subnet. So you would add it without leftsubnet= so that it is a tunnel from "left" to "rightsubnet"
Last time, when I set up VTI support, sourceip seems was not required.
Yes. With VTI, routes are used to determine what gets encrypted, and a route for the remote subnet in the VTI interface causes the encryption to happen. Of course, the tunnel policy still needs to include the src/dst IP combo, but often VTI tunnels use subnets of 0.0.0.0/0 so anything routed into it will just work. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
