[Swan] rightusbnets and leftsubnets - only a single network works

Fri, 03 May 2019 06:41:55 -0700 

Hello,

I have tunnel between libreswan and Palo Alto. I have defined 2 leftsubets but 
only one is created. I don’t have access to the Palo Alto device

conn qqqqqqqqqqq
  authby=secret
  pfs=yes
  auto=start
  keyingtries=%forever
  keylife=1h
  ike=aes256-sha256-dh14
  esp=aes256-sha256
  ikelifetime=28800s
  type=tunnel
  left=%defaultroute
  leftid=162.2……...
  leftsubnets={ 10.64.30.5/32 }
  leftnexthop=%defaultroute
  leftsourceip=10.64.30.5
  aggressive=no
  right=4…...
  rightsubnets={ 10.128.0.0/9 10.65.0.0/16 }
  rightnexthop=%defaultroute
  rightsourceip=4……...
  dpddelay=10
  dpdtimeout=3600
  dpdaction=restart

this is in /etc/ipsec.conf
config setup
  listen=162…...
  dumpdir=/var/run/pluto/
  virtual_private=%v4:192.168.6.0/24
  protostack=netkey
  plutostderrlog=/tmp/pluto.log
  keep_alive=60

include /etc/ipsec.d/*.conf

Tunnel is established


ip xfrm policy
src 10.64.30.5/32 dst 10.128.0.0/9 
        dir out priority 1040374 ptype main 
        tmpl src 162…... dst 4.79.1.105
                proto esp reqid 16389 mode tunnel
src 10.128.0.0/9 dst 10.64.30.5/32 
        dir fwd priority 1040374 ptype main 
        tmpl src 4…….. dst 162………...
                proto esp reqid 16389 mode tunnel
src 10.128.0.0/9 dst 10.64.30.5/32 
        dir in priority 1040374 ptype main 
        tmpl src 4……... dst 162………...
                proto esp reqid 16389 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0 ptype main 
src ::/0 dst ::/0 proto ipv6-icmp type 135 
        dir out priority 1 ptype main 
src ::/0 dst ::/0 proto ipv6-icmp type 135 
        dir fwd priority 1 ptype main 
src ::/0 dst ::/0 proto ipv6-icmp type 135 
        dir in priority 1 ptype main 
src ::/0 dst ::/0 proto ipv6-icmp type 136 
        dir out priority 1 ptype main 
src ::/0 dst ::/0 proto ipv6-icmp type 136 
        dir fwd priority 1 ptype main 
src ::/0 dst ::/0 proto ipv6-icmp type 136 
        dir in priority 1 ptype main 

What might be causing that 10.128.0.0/9  is established but not 10.65.0.0/16?

Thank you
Viktor

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to