On Thu, 8 Jun 2017, Eric Curtin wrote:
https://gist.github.com/ericcurtin/18abd507c0a391ba1089742bcd4cc37c
By the sounds of it, I am stuck with option two that you are referring to, I would use a configuration like follows to connect to the cisco based client:
I'm still not seeing the entire picture. Does "Some client 1" and "Some client 2" need to be able to access things only as a client? Or does your network need to be able to initiate to "Some client 1" and initiate to "Some client 2" ? This latter is not really possibly, since you would need to convey which of the two 192.168.1.104's you want to talk to. (You can do this with marking and vti or something but it gets ugly fast) If your network hands out an IP address to Some Client, then you can assign those IPs from your own address pool. Then each Some Client gets their own non-conflicting IP address. If you pick a non-RFC1918 range (eg a /27 from your own valid public range, or from 100.64.0.0/16) then you should never have a conflict. You can then also "split VPN" the client, so they only use that VPN connection to talk to one of your subnet ranges.
conn cisco type=tunnel left=16.248.10.231 leftsubnet=16.248.10.231/32 leftsourceip=16.248.10.231 right=10.37.177.3 rightsubnet=192.168.1.104/32 rightsourceip=10.37.177.3
This combi rightsubnet and rightsourceip won't work. So I think what I mentioned as the first options would be the one you want. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
