Hi,I have a strongswan gateway handling multiple connections with all kinds of different encryption domains.
Now I have to set up a new connection, where the other side has set up their encryption domain as 172.16.0.0/12. I only need to reach one Host in this subnet, but I can't influence this encryption domain.
I want to prevent my system to route all traffic going to 172.16.0.0/12 through that tunnel, when I only need to reach this one host, especially since there might be conflicts with other encryption domains of other partners on this gateway.
I have set up the connection as detailed below. If I change the rightsubnet to only use this one host, the tunnel will not properly come up, as it does not match the partner settings anymore. Is there a way to build the SA with the large subnet, but internally only add routes for a smaller subnet? Thanks for any help!
conn s2s_xyz type=tunnel left=<<my_ip>> leftsubnet=10.10.10.10/29 leftfirewall=yes leftid=<<my_ip>> right=<<partner_ip>> rightsubnet=172.16.0.0/12 rightid=<<partner_ip>> auto=route compress=no mobike=no #Phase-1 keyexchange=ikev2 authby=secret ike=aes256-sha256-modp2048 ikelifetime=24h #Phase-2 keylife=1h pfs=yes auth=esp esp=aes256-sha256-modp2048
smime.p7s
Description: S/MIME Cryptographic Signature
