On Wed, 2 May 2018 20:08:59 +0200 Erik Andersson <[email protected]> wrote:
> Hi all, > > I'm running libreswan 3.23 (using netkey/xfrm) on fedora 26. > > Trying to connect clients via xauth and modecfg where the address > pool for clients is a subset of the network "behind the ipsec > gateway". > > Using the following configuration: > > conn remote > auto=start > authby=secret > right=10.48.28.81 > left=%any > rightsubnet=192.168.110.0/24 > connaddrfamily=ipv4 > pfs=yes > nat-keepalive=yes > encapsulation=auto > dpddelay="30" > dpdtimeout="120" > dpdaction=clear > rightmodecfgserver=yes > leftmodecfgclient=yes > modecfgpull=yes > leftaddresspool=192.168.110.220-192.168.110.254 > modecfgdns=10.48.254.21 > modecfgdomains=example.com > rightxauthserver=yes > leftxauthclient=yes > xauthby=file > rekey=no You need to enable routing for that to work. Proxy arp requires host route to client. While xfrm doesn't need routing, ip stack does. -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <https://foobar.fi/> _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
