[Swan] Can subset of a subnet works between peers?
Xinwei Hong
xhong at skytap.com
Tue Mar 7 00:03:04 UTC 2017
My example is probably not very good. Modify a little bit.
on one side(Router A):
leftsubnets='10.100.0.0/16'
rightsubnets='10.200.0.0/ <http://10.200.0.0/24>16'
on the other side (Router B):
leftsubnets='10.200.0.0/16'
rightsubnets='10.100.0.0/24'
When Router B proposes to Router A, since the requested rightsubnets is a
subset of Router A's leftsubnets, we would expect it could work.
The scenario we want to support is: say at beginning, Router A and B have
exact match between 10.100.0.0/24 and 10.200.0.0/16, but later customer
decide to expand Router A leftsubnets to 10.100.0.0/16. After Router A made
the change, we want the communication between A and B still works without
having to manually update Router B's configuration.
Thanks,
Xinwei
On Mon, Mar 6, 2017 at 12:05 PM, Paul Wouters <paul at nohats.ca> wrote:
> Why are you mismatching the ranges and masks??
>
> You must use the same configuration of network ranges for both sides to
> agree.
>
> Paul
>
> Sent from my iPhone
>
> On Mar 6, 2017, at 19:59, Xinwei Hong <xhong at skytap.com> wrote:
>
> Hi,
>
> With pluto/netkey, if one one side I have:
> leftsubnets='10.100.0.0/16'
> rightsubnets='10.200.0.0/24'
>
> on the other side:
> leftsubnets='10.200.0.0/16'
> rightsubnets='10.100.0.0/24'
>
> step 2 negotiation won't work probably because they are not exact match.
> Is this expected or I'm missing something. Can it do a subset matching?
>
> Previously when I use racoon+netkey, things were OK and tunnel can be
> created.
>
>
> Thanks,
> Xinwei
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170306/a13d116c/attachment.html>
More information about the Swan
mailing list