Andreas, Thanks for that. Unfortunately, all of these abstract labels are making my head hurt. Let's try some real numbers.
Host A and Host B have local IP addresses in the 192.16.50.xxx subnet. The SeGW has an unsecure IP address (i.e. on eth0) in the 172.16.xxx.xxx subnet and a secure IP address (i.e. on eth1) in the 172.17.xxx.xxx subnet. The SeGW is configured to hand out virtual IP addresses to Hosts A and B using the 10.15.xxx.xxx subnet. So, we want Host A to be able to talk to other entities in the 10.15.xxx.xxx subnet using IPsec (i.e. Host A <-> Host B via SeGW) and ALSO we want Host A and Host B to be able to talk to entities on the secure side of the SeGW (i.e. other servers on the 172.17.xxx.xxx subnet). So, currently, on the SeGW we have: conn a-b-gw left=segw.foobar.com leftsubnet=0.0.0.0/0 leftfirewall=yes rightsourceip=10.15.0.0/24 Does this make sense ? Regards, Graham. On 4 March 2011 10:58, Andreas Steffen <andreas.stef...@strongswan.org>wrote: > this is an easy one: > > ipsec.conf of host A: > > conn a-b > left=IP_A > right=IP_GW > rightsubnet=IP_B/32 > > ipsec.conf of gateway GW: > > conn a-gw > left=IP_GW > leftsubnet=IP_B > right=IP_A > > conn b-gw > left=IP_GW > leftsubnet=IP_A > right=IP_B > > ipsec.conf of host B > > conn b-a > left=IP_B > right=IP_GW > rightsubnet=IP_A/32 > >
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users