Thank you very much. I understand the sourceip part now. Also, I understand I can bring up/down connections using the method you mentioned.
Let's say my ipsec.conf has a conn test1 configured between two subnets. The ipsec.conf is loaded by pluto and everything is working. After sometime, we decide to add another subnet pair between the same endpoints. I need add a new snippet for "conn test2" into ipsec.conf. If I do "ip auto --add test2", will it actually work? Does pluto reload ipsec.conf file? Does ip auto cause pluto to restart? Do the phase 1 tunnel and conn test1 get re-established? We don't want to interrupt tunnel for conn test1. Thanks, Xinwei On Thu, Jan 19, 2017 at 8:48 PM, Paul Wouters <[email protected]> wrote: > On Thu, 19 Jan 2017, Xinwei Hong wrote: > > Another question. If I have multiple networks on both side of the ipsec >> tunnel, I assume we would need use leftsubnets/rightsubnets to specify >> multiple networks. However, in my last email, we found that >> leftsourceip/rightsourceip are required. Since we have multiple networks >> now, what address should be used as the sourceip? >> > > If you need to access more remote subnets on the remote end from the > local server itself, you have two choices: > > - Add host-subnet connections, like: > > conn subnet1 > left=a.b.c.d > right=.e.f.g.h > leftsubnet=X.0.0.0/8,Y.0.0.0/8 > rightsubnet=W.0.0.0/8,Z.0.0.0/0 > [...] > > conn host-subnet1 > left=a.b.c.d > right=.e.f.g.h > rightsubnet=W.0.0.0/8 > [...] > > conn host-subnet2 > left=a.b.c.d > right=.e.f.g.h > rightsubnet=Z.0.0.0/8 > [...] > > This will result in 4 + 1 +1 tunnels. All the subnets to all the subnets > and the ipsec server to both subnets. > > Since you now have tunnels where your public ip (nearest to the remote > subnet) is part of an IPsec tunnel, your connections will work without > needing sourceip= > > The alternative is to split the subnetS conn into 4 different > subnet to subnet tunnels, and specifying the leftsourceip= > But that only makes sense if you have an IP from those local > subnets specified on the machine itself. Again, if you are just > routing those subnets locally to another machine, sourceip= is > not needed. > > Also, with our current setting using racoon, we can add/remove subnets on >> the fly once the tunnel is established. We just do some spdadd to tell the >> tunnel new subnets. To do the same thing, do we have to make change to >> ipsec.conf file and restart pluto daemon now? We want the existing >> connections uninterrupted. >> > > If you use separate conns, then you can simply run: > > ipsec auto --add connXXX > ipsec auto --up connXXX > ipsec auto --down connXXX > ipsec auto --delete connXXX > > to manually add/remove them. If you use the subnetS= contruct, then > you will see numbered conns appearing. For example: > > conn test > left=a.b.c.d > right=.e.f.g.h > leftsubnet=X.0.0.0/8,Y.0.0.0/8 > rightsubnet=W.0.0.0/8,Z.0.0.0/0 > [...] > > when this connections is added and brougt up using --add and --up, > you will see in "ipsec status" > > conn test1x1 > conn test1x2 > conn test2x1 > conn test2x2 > > You can treat those as regular conns, so you can do: > > ipsec auto --delete test2x1 > > Note that if you use DPD, and the base connection gets restarted, > it will re-add this deleted conn again. > > Paul >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
