[Swan] IPsec/L2TP Subnet Restriction
Chris Seguin
segchris at gmail.com
Wed Mar 30 18:08:47 UTC 2016
Maybe I over simplified the original question. My end goal is to support a
windows client connecting with certificates (no PSK) and be able to allow a
different subset of networks based on which user connects. The PSK was just
me trying to test leftsubnets and maybe not even a valid test.
Below is my config using certs. If I comment out the rightsubnets and
leftsubnets lines I can connect fine and ping everything behind the server,
I add them back in I can no longer connect.
conn RWrsa
type=transport
authby=rsasig
pfs=no
rekey=no
left=%defaultroute
leftcert=VPNA
leftid=@vpna.example.com
right=%any
rightrsasigkey=%cert
modecfgdns1=8.8.8.8
modecfgdns2=193.110.157.123
narrowing=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
fragmentation=yes
conn RW-client1
also=RWrsa
rightid=client.example.com
rightcert=client
auto=add
leftprotoport=17/1701
rightprotoport=17/%any
leftsubnets={ 192.168.10.70/32,192.168.10.71/32,192.168.10.72/32 }
rightsubnets={ 0.0.0.0/0 }
On Wed, Mar 30, 2016 at 12:21 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 29 Mar 2016, Chris Seguin wrote:
>
> My connection description looks like the following:
>>
>> conn RWConn # road warrior connection description
>>
>> authby=secret
>>
>> pfs=no
>>
>> auto=add
>>
>> keyingtries=3
>>
>> rekey=no
>>
>> type=transport
>>
>
> Transport mode means 1 ip to 1 ip
>
> leftsubnets={ 192.168.10.0/24 }
>>
>
> So you cannot have subnets. Perhaps you want type=tunnel and not L2TP ?
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160330/2729bf87/attachment-0001.html>
More information about the Swan
mailing list