Hello Lejeczek, kernel-libipsec (which is required to be loaded for libipsec to be usable) creates a tun interface itself. You can not prescribe it to use one.
> mode = pass That disables all IPsec processing for traffic that matches the policies. You probably don't want to do that. > 1) Obvious - how to make it work? Completely different from what you configured. Just use a normal roadwarrior config. Kind regards Noel Am 05.11.20 um 17:45 schrieb lejeczek: > Hi guys > > To start I should say I'm trying this with libipsec. > > I have an initiator with local 10.3.1.0/24 and a following > config: > > > connections { > to-tinyionos { > version = 2 > remote_addrs = "A.B.C.D" > vips = "0.0.0.0" > local { > auth = pubkey > certs = "my.cert.der" > } > remote { > certs = "server.cert.der" > } > children { > to-tinyionos { > mark_in = %unique > mark_out = %unique > remote_ts = "10.3.9.0/24" > local_ts = "10.3.1.0/24" > #mode = "tunnel" > mode = pass > } > } > } > } > > and there I have a server with a tun iface: > > 17: forswan: <NO-CARRIER,POINTOPOINT,MULTICAST,NOARP,UP> mtu > 1500 qdisc fq_codel state DOWN group default qlen 500 > link/none > inet 10.3.9.1/24 brd 10.3.9.255 scope global > noprefixroute forswan > valid_lft forever preferred_lft forever > > and server config, connection part: > > > fenbox { > version = 2 > pools = "myclient" > vips = "0.0.0.0" > remote { > auth = "pubkey" > id = "O=client, CN=tiny.client" > } > children { > fenbox { > mark_in = %unique > mark_out = %unique > local_ts = "10.3.9.0/24" > remote_ts = "10.3.1.0/24" > #mode = transport > #mode = "tunnel" > mode = pass > } > } > } > > > What I'd like to get, which I'm not for some reason, is: > - to access IP of 10.3.9.0/24 subnet. > From the server I can get to initiator's 10.3.1.0/24, but > the server with 10.3.9.1 on tun iface cannot get to > initiator's assigned 10.3.9.254. > I have two questions: > 1) Obvious - how to make it work? > 2) I notice that initiators gets an IP: 10.3.9.254/32 - is > this that subnet because how libipsec works and if yes then > can it be controlled and changed? > > many thanks, L. >
signature.asc
Description: OpenPGP digital signature