I have no comment for your question about listing individual subnets with Charon, but strictly speaking the "narrowest" subnet for the range 192.168.10.0-192.168.14.255 is 192.168.8.0/21 not 192.168.0.0/16.
Regards, Hans-Kristian Bakke On 4 June 2012 21:27, <[email protected]> wrote: > Hi. > > > > I have the following IPv4 IKEv2 tunnel mode setup: > > > > 192.168.10.0/24 --- GW ---| > > 192.168.11.0/24 --- GW ---|--- Strongswan GW --- Remote peer > > 192.168.12.0/24 --- GW ---| > > 192.168.13.0/24 --- GW ---| > > > > The remote peer has a policy defined as 192.168.0.0\16. On the Strongswan > GW I define leftsubnet individually (I.e. 192.168.10.0/24 then > 192.168.11.0/24 then 192.168.13.0/24 etc) and each SA establishes fine (this > would be four separate tests with different lefsubnet definitions for each > network separately). These tests seem to indicate that narrowing is working > to some degree. However, if I use the comma separated list (I.e. > leftsubnet=192.168.10.0/24,192.168.11.0/24,192.168.12.0/24,192.168.13.0/24) > the proposal fails and none of the SAs establish (specifically due to the > traffic selectors). It’s my impression that one of the major distinctions > between IKEv1 and IKEv2 is to accommodate multiple subnets within the > traffic selectors. So I would expect the list of multiple subnets to work > if narrowing was working the way it is defined. Is my understanding > incorrect? If the remote peer fails to accommodate the list of multiple > subnets is it non-conforming? > > > > Honestly, I don’t really see much value in narrowing to a single subnet like > what worked initially (I.e. 192.168.10.0\24 <–> 192.168.0.0\16; > 192.168.11.0\24 <–> 192.168.0.0\16). In order to get all 4 subnets to the > remote peer I would need to 1) define the remote peer with a policy of > 192.168.0.0\16 and 2) define the Strongswan GW with a policy of > 192.168.0.0\16. Which means there would be no narrowing going on. I’m at a > loss trying to understand this. > > > > Any help you could provide would be appreciated. Thanks in advance. > > > > Eric Johnson > > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
