On Fri, 17 May 2019, Scott Whitten wrote:
rightsubnet=10.3.5.0/24 rightsourceip=10.3.5.254 leftsubnet=192.168.2.0/24 leftsourceip=192.168.2.251
I'm connecting between Libreswan and a Cisco ASA. There are 2 other subnets I'd like to add to "rightsubnet". If I add them via: rightsubnets=10.3.5.0/24,10.3.10.0/24,10.3.22.0/24 The subnets are added to the routing table but I can't ping anything. If I use just the config shown above, I can successfully ping 10.3.5.x hosts. What am I doing wrong?
if you add multiple suvnets, then you cannot specify sourceip=. You should leave that out. If there is any traffic that you want to have originating from the gateway itself to the remote subnets, and you require a sourceip of an internal subnet that is present on the gateway itself, you will need to add those routes (with "src x.x.x.x") yourself. Although usually, if you have multiple subnets, those do not all have an IP address on the gateway, and the gateway is really just a router for those subnets. check that you are excluding NAT for all those source-dest subnet combinations. If you accidentally NAT those to a public IP, it will no longer match the left-right subnets and will not be encrypted by IPsec. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
