[Swan] ikev2 and win7

Paul Wouters paul at nohats.ca
Wed May 13 06:26:50 EEST 2015


On Tue, 12 May 2015, Bob Miller wrote:

> I think I got it figured out.  In the hopes it is useful to others, this is 
> what I did:

Thanks, I'll put this up on the Wiki!

> It seems that routing is a different game here.  the way I used to do it was 
> set the leftsubnet to be that of the remote network, then use iptables to do 
> FORWARD between the networks, and then a NAT rule to allow internet access. 
> I found that using this config, the leftsubnet *also* has to be set to 
> 0.0.0.0/0 in order to allow internet traffic.
>
> I am not really clear on the narrowing function, I think I need to learn more 
> on that, but that will be for another day.  Thanks again for the pointer, 
> Paul...

Narrowing basically lets a client ask for a subnet, and the server to
respond with a narrowed set of that. So you ask for 0.0.0.0/0 and you
get say 10.0.0.0/8.

Gory details are at https://tools.ietf.org/html/rfc7296#section-2.9

for a quick overview see "narrowing" in the "man ipsec.conf"
documentation.

Paul


More information about the Swan mailing list