On Mon, 6 Mar 2017, Xinwei Hong wrote:
My example is probably not very good. Modify a little bit.on one side(Router A):
leftsubnets='10.100.0.0/16'
rightsubnets='10.200.0.0/16'
on the other side (Router B):
leftsubnets='10.200.0.0/16'
rightsubnets='10.100.0.0/24'
When Router B proposes to Router A, since the requested rightsubnets is a
subset of Router A's leftsubnets, we would expect it could
work.
rightsubnet is NOT a subset of leftsubnet in this case. You have
10.100.0.0/16 which is 10.100.*.* which does not overlap with 10.200.0.*
If you really mean:
leftsubnets='10.100.0.0/16'
rightsubnets='10.100.0.0/24'
Then there truly IS an overlap. This situation works but on the end with
the smaller subnet (in this case right) you would also need to add a
passthrough to ensure 10.100.0.0/24 only traffic remains local:
conn passthrough
left=1.2.3.4
right=0.0.0.0
leftsubnet=10.100.0.0/24
rightsubnet=10.100.0.0/24
authby=never
type=passthrough
auto=route
This will exclude all 10.100.0.0/24 <-> 10.100.0.0.24 traffic from being
send to the 10.100.0.0/16 remote network.
This is explained at: https://libreswan.org/wiki/Subnet_extrusion
The scenario we want to support is: say at beginning, Router A and B have exact
match between 10.100.0.0/24 and 10.200.0.0/16, but later
customer decide to expand Router A leftsubnets to 10.100.0.0/16. After Router A
made the change, we want the communication between A and B
still works without having to manually update Router B's configuration.
That is something completely different, and called "routing based VPN".
For that, please see: https://libreswan.org/wiki/Route-based_VPN_using_VTI
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
