My example is probably not very good. Modify a little bit. on one side(Router A): leftsubnets='10.100.0.0/16' rightsubnets='10.200.0.0/ <http://10.200.0.0/24>16'
on the other side (Router B): leftsubnets='10.200.0.0/16' rightsubnets='10.100.0.0/24' When Router B proposes to Router A, since the requested rightsubnets is a subset of Router A's leftsubnets, we would expect it could work. The scenario we want to support is: say at beginning, Router A and B have exact match between 10.100.0.0/24 and 10.200.0.0/16, but later customer decide to expand Router A leftsubnets to 10.100.0.0/16. After Router A made the change, we want the communication between A and B still works without having to manually update Router B's configuration. Thanks, Xinwei On Mon, Mar 6, 2017 at 12:05 PM, Paul Wouters <[email protected]> wrote: > Why are you mismatching the ranges and masks?? > > You must use the same configuration of network ranges for both sides to > agree. > > Paul > > Sent from my iPhone > > On Mar 6, 2017, at 19:59, Xinwei Hong <[email protected]> wrote: > > Hi, > > With pluto/netkey, if one one side I have: > leftsubnets='10.100.0.0/16' > rightsubnets='10.200.0.0/24' > > on the other side: > leftsubnets='10.200.0.0/16' > rightsubnets='10.100.0.0/24' > > step 2 negotiation won't work probably because they are not exact match. > Is this expected or I'm missing something. Can it do a subset matching? > > Previously when I use racoon+netkey, things were OK and tunnel can be > created. > > > Thanks, > Xinwei > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan > >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
