After giving it a second look, a brief response to my original message. The
xfrm policies seem quite wrong after all:
> src rw.pp.uu.bb/32 dst 192.168.1.1/32
> dir out priority 1753280 ptype main
> tmpl src rw.ii.nn.tt dst srv.pp.uu.bb
> proto esp reqid 16393 mode tunnel
(192.168.1.1 is srv.ii.nn.tt). Shouldn't this be rather
src rw.ii.nn.tt/32 dst srv.pp.uu.bb/32 ?
Not sure about the tmpl part, should this perhaps rather read
tmpl src rw.pp.uu.bb dst srv.pp.uu.bb ?
With the currently installed policies, the original packets do not match as
their source IP is the internal one (as expected) which is apparently the
reason why they are sent out in clear.
Is this expected behaviour? If not, what can I do to change that? I have
inspected my configuration files. The
rw.pp.uu.bb
rw.ii.nn.tt
obviously does not appear anywhere except implicitly in left=%defaultroute
on the roadwarrior, since it is not known beforehand. The
srv.ii.nn.tt
appears implicitly in left= (%defaultroute) and explicitly in leftsubnet= on
the server and in rightsubnet= on the roadwarrior. And the remaining
srv.pp.uu.bb
appears only in right= on the roadwarrior.
Many thanks for any input,
Phil
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
