I tried it. It looks like "ip auto --add test2" will reload config file and pluto process does not restart.
Thanks, Xinwei On Thu, Jan 19, 2017 at 11:22 PM, Xinwei Hong <[email protected]> wrote: > Thank you very much. I understand the sourceip part now. Also, I > understand I can bring up/down connections using the method you mentioned. > > Let's say my ipsec.conf has a conn test1 configured between two subnets. > The ipsec.conf is loaded by pluto and everything is working. After > sometime, we decide to add another subnet pair between the same endpoints. > I need add a new snippet for "conn test2" into ipsec.conf. If I do > "ip auto --add test2", will it actually work? Does pluto reload ipsec.conf > file? Does ip auto cause pluto to restart? Do the phase 1 tunnel and conn > test1 get re-established? We don't want to interrupt tunnel for conn test1. > > Thanks, > Xinwei > > On Thu, Jan 19, 2017 at 8:48 PM, Paul Wouters <[email protected]> wrote: > >> On Thu, 19 Jan 2017, Xinwei Hong wrote: >> >> Another question. If I have multiple networks on both side of the ipsec >>> tunnel, I assume we would need use leftsubnets/rightsubnets to specify >>> multiple networks. However, in my last email, we found that >>> leftsourceip/rightsourceip are required. Since we have multiple networks >>> now, what address should be used as the sourceip? >>> >> >> If you need to access more remote subnets on the remote end from the >> local server itself, you have two choices: >> >> - Add host-subnet connections, like: >> >> conn subnet1 >> left=a.b.c.d >> right=.e.f.g.h >> leftsubnet=X.0.0.0/8,Y.0.0.0/8 >> rightsubnet=W.0.0.0/8,Z.0.0.0/0 >> [...] >> >> conn host-subnet1 >> left=a.b.c.d >> right=.e.f.g.h >> rightsubnet=W.0.0.0/8 >> [...] >> >> conn host-subnet2 >> left=a.b.c.d >> right=.e.f.g.h >> rightsubnet=Z.0.0.0/8 >> [...] >> >> This will result in 4 + 1 +1 tunnels. All the subnets to all the subnets >> and the ipsec server to both subnets. >> >> Since you now have tunnels where your public ip (nearest to the remote >> subnet) is part of an IPsec tunnel, your connections will work without >> needing sourceip= >> >> The alternative is to split the subnetS conn into 4 different >> subnet to subnet tunnels, and specifying the leftsourceip= >> But that only makes sense if you have an IP from those local >> subnets specified on the machine itself. Again, if you are just >> routing those subnets locally to another machine, sourceip= is >> not needed. >> >> Also, with our current setting using racoon, we can add/remove subnets on >>> the fly once the tunnel is established. We just do some spdadd to tell >>> the >>> tunnel new subnets. To do the same thing, do we have to make change to >>> ipsec.conf file and restart pluto daemon now? We want the existing >>> connections uninterrupted. >>> >> >> If you use separate conns, then you can simply run: >> >> ipsec auto --add connXXX >> ipsec auto --up connXXX >> ipsec auto --down connXXX >> ipsec auto --delete connXXX >> >> to manually add/remove them. If you use the subnetS= contruct, then >> you will see numbered conns appearing. For example: >> >> conn test >> left=a.b.c.d >> right=.e.f.g.h >> leftsubnet=X.0.0.0/8,Y.0.0.0/8 >> rightsubnet=W.0.0.0/8,Z.0.0.0/0 >> [...] >> >> when this connections is added and brougt up using --add and --up, >> you will see in "ipsec status" >> >> conn test1x1 >> conn test1x2 >> conn test2x1 >> conn test2x2 >> >> You can treat those as regular conns, so you can do: >> >> ipsec auto --delete test2x1 >> >> Note that if you use DPD, and the base connection gets restarted, >> it will re-add this deleted conn again. >> >> Paul >> > >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
