[Swan] Send lan traffic over established subnet - subnet tunnel

[Paul Wouters]

On Thu, 3 Mar 2016, Nick Howitt wrote:

> Use left/rightsubnets instead of left/rightsubnet. Check the man page for ipsec.conf.
> 
> On 2 March 2016 13:44:29 GMT+00:00, Antonio Silva <asilva at wirelessmundi.com> wrote:

> Is there way to route traffic from lanA and lanB without having to 
> create another tunnel?

While the plural subnets= usage means you have one "connection", it
still establishes multiple tunnels. That is because policy VPNs work
based on source/destination policies and not random routing.

Once we support VTI fully, you will be able to make a routed based VPN
where you can set the policy to 0.0.0.0/0 <-> 0.0.0.0/0 and use routing
to make the encryption decisions. And I strongly recommend to never do
this. It is weak security, prone to routing errors, and you might end
up with one-way encrypted and one-way plaintext if both endpoints don't
use the same routing.

> Maybe by setting manual xfrm policies...

Never ever to that if you are running an IKE daemon. The IKE daemon keeps
its own list of XFRM policies it thinks are in the kernel. If you change
those behind its back, you are going to run into trouble.  Also, manual
means never getting updated, means no perfect forward secrecy. It's
bad. Don't do it. In fact, I would be tempted to extend the pluto IKE
daemon to notice rogue XFRM changes and set of the red alert.

Paul