On 13.03.2017 19:05, Hoggins! wrote: > ... so if my gateway A keeps 192.168.22.0/24 as its "real" network, but > gets – let's say – a TS 192.168.33.0/24 == 192.168.55.0/24, my road > warriors would also be on 192.168.33.0/24 (if configured accordingly, of > course), and be able to talk to gateway A.
TL;DR:
Nah. You need a second CHILD_SA for 192.168.22.0/24 == 192.168.33.0/24 between
site A and site B
Short diagram time:
Current situation:
site A (192.168.22.0/24) == site B (192.168.55.0/24) == roadwarriors
(192.168.33.0/24)
site A == site B: 192.168.22.0/24 == 192.168.55.0/24
site B == roadwarriors: 192.168.55.0/24 == 192.168.33.0/24
The tunnel between site A and B doesn't protect traffic between 192.168.22.0/24
== 192.168.33.0/24
You need to build a second CHILD_SA that protects traffic between site a and b
for the traffic 192.168.22.0/24 == 192.168.33.0/24, because the one you
currently have
just protects 192.168.22.0/24 == 192.168.55.0/24.
Think in IP subnets, not broadcast domains.
>
> Now... (as you understood from my previous messages, there are many
> basic things that I don't know)
Oh boy, this is going to take a while then.
> I would like my road warriors on 192.168.33.0/24 to contact hosts on
> 192.168.22.0/24 and vice-versa. Can I do this by adding the
> 192.168.22.0/24 subnet somewhere ? Like
> leftsubnet=192.168.22.0/24,192.168.33.0/24 on host A (but then, how will
> the dynamic IP address will be chosen amongst these two networks ?
> Should I order the declarations so that the first one is the one in
> which the dyn IP will be attributed ?), and
> rightsubnet=192.168.22.0/24,192.168.33.0/24,192.168.55.0/24 or something
> like that ?
Err, no.
You need to tell strongswan which subnets are local and which are remote.
For site A, 192.168.22.0/24 is local, 192.168.33.0/24 and 192.168.55.0/24 are
reachable over site B.
For site B, 192.168.55.0/24 is local, 192.168.22.0/24 is reachable over site A
and roadwarriors are attached
with several tunnels (probably many tunnels to some single hosts in
192.168.33.0/24,
like 192.168.33.1/32, 192.168.33.2/32)
For roadwarriors, their virtual IP is local, 192.168.22.0/24 and
192.168.55.0/24 are reachable over site B (if you want to enable roadwarriors
to reach other roadwarriors, you have to tell them too, that
192.168.33.0/24 is reachable over site B)
>
> Don't judge me, I'm playing with things I don't understand well.
>
> Thanks anyway for all this help.
>
> Hoggins!
>
--
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
