All, Having learnt how to provide access to the local subnet when the tunnel is up, I now want to restrict the list of subnets available through the tunnel. In other words, I want everything to go OFF-tunnel unless it is in the supplied list of subnets.
So, I set up a normal tunnel and provide a comma-separated list of allowed subnets (e.g. "rightsubnet=172.20.0.0/16,1.1.0.0/16"). As hoped for, strongSwan leaves the default ip route alone so that by default, traffic is "off-tunnel" and adds a set of ip routes that direct the desired traffic down the tunnel. So far, so good. [ Strongswan is also using the list of allowed subnets to set up ip xfrm policies. I'm not sure if I want these or understand them, but I'll leave them be until I learn more about xfrm. ] By accident, I found out that strongSwan is also using the list of allowed subnets as "responder" traffic-selectors in the ISAKMP messages to set up the tunnel. Is this correct ? Desired ? Why would the remote end of the tunnel be interested in how I want to direct traffic on- or off-tunnel ? Surely routing policy is a local decision ? Or, as usual, have I got hold of the wrong end of the stick ? Are responder traffic-selectors meant to tell the remote end what traffic to send us down the tunnel and I should add explicit routes (and not use "rightsubnets") to direct which locally-generated traffic goes on- or off-traffic ? Hope this all makes sense. I can provide examples if anyone has not got a clue what I'm going on about. Regards, Graham. _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
