Thank you so much. Just double checked, I got all expected results as what you mentioned here. It all makes sense now.
Thanks, Xinwei On Thu, Jan 19, 2017 at 8:33 PM, Paul Wouters <[email protected]> wrote: > On Thu, 19 Jan 2017, Xinwei Hong wrote: > > Thank you very much. After I enable IP forwarding and add sourceip, things >> are working now. The send_redirects/accept_redirects seems does not >> matter. >> Regarding sourceip, you mentioned. >> "Of course, if the IPsec server is just routing the entire /24 elsewhere, >> this does not apply." >> In my case, I do want route the entire /24 to remote. Can you confirm, >> sourceip is required even in this case? >> > > the sourceip is required only if you want the ipsec gateway itself > to talk to the remote subnet. Then it needs to be convinced to use > the internal instead of external ip. If you are just routing it to > another machine, then if you want to reach the remote subnet on > the ipsec server, you would need another tunnel definition from the > ipsec server itself to the remote subnet. So you would add it > without leftsubnet= so that it is a tunnel from "left" to "rightsubnet" > > Last time, when I set up VTI support, sourceip seems was not required. >> > > Yes. With VTI, routes are used to determine what gets encrypted, and > a route for the remote subnet in the VTI interface causes the > encryption to happen. Of course, the tunnel policy still needs to > include the src/dst IP combo, but often VTI tunnels use subnets of > 0.0.0.0/0 so anything routed into it will just work. > > Paul >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
