On Mon, 5 Jun 2023, Trevor Hemsley wrote:
I have a test server set up to use ikev2 and I can successfully connect and get it to assign me an ip address etc if and only if I have one single subnet on my left/right config. I need to route 3 of them and I can do any one of them but not more. I have tried various syntaxes from {left,right}subnets="172.x.x.x/24 10.x.x.x/24 10.y.x.x/24" either comma or space separated, changing the "" to {}, nesting "{}" and none of those work. When I restart the server end, the daemon starts up but the connection is not started and there are no errors anywhere that I have found that tell me why (checked /var/log/messages,secure} and journalctl -u ipsec). I am using libreswan-4.9-4.el9_2.x86_64 on a fully updated Rocky Linux 9.2 VM on both ends.I have also tried adding 3 separate conn subnet{1,2,3}'s just containing also=mainconn rightsubnet= and that starts up but won't let me connect. So this works with just one subnet on the left.
With libreswan 5.0, you will be able to do this. It should be released very soon (1-2 weeks hopefully). The current 4.x code "instantiates" the *subnets= connections into subnet= connections, but with a dynamic clients getting an IP address it won't work for all instantiations of the subnets= connection. 5.0 will support multiple traffic selectors in a single IPsec SA, and then what you want works. You can try "git main", it has to code already, but you need to use rightsubnet="172.x.x.x/24 10.x.x.x/24 10.y.x.x/24" Note the singular subnet= use with multiple subnets. For 5.0 final, this will be behind a new option and subnet= and subnets= will get the same meanings. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
