[Swan] modecfg with multiple subnets
Paul Wouters
paul at nohats.ca
Mon Jun 16 19:35:41 EEST 2014
On Mon, 16 Jun 2014, Wolfgang Nothdurft wrote:
> I was trying to configure mode config with multiple subnets.
>
> The problem is that the connection with the second subnet can't connect (see
> log and example config):
>
> Jun 16 15:45:05 d1 pluto[27759]: "client/2x0"[1] 10.0.12.2 #1: cannot respond
> to IPsec SA request because no connection is known for
> 192.168.11.0/24===10.0.11.2[MS+S=C]...10.0.12.2[+MC+S=C]===192.168.12.1/32
>
> Should it be possible to use mode config with multiple subnets?
Yes it should be, but the server side code is still incomplete. You
need to send a CISCO_SPLIT_INC XAUTH attribute and then send multiple
"route objects". This code should be triggered when the client end is
not rightsubnet=0.0.0.0/0 but rightsubnets={ list of subnets }
On the client side, this already works (interops with Cisco). I can
provide you a log if it helps to see what you need to send.
> And there seems to be an old bug also that rightsubnet needs to be set with
> leftsubnets and vice versa.
> This would be problematic if you'd use rightaddresspool instead of
> rightsubnet on the server side.
Yes, that's a problem in the parser code in lib/libipsecconf/ being too
strict.
If you don't get to this, we can hopefully finish this for libreswan 3.10.
Paul
More information about the Swan
mailing list