[Swan] Can subset of a subnet works between peers?
Paul Wouters
paul at nohats.ca
Tue Mar 7 11:24:19 UTC 2017
On Mon, 6 Mar 2017, Xinwei Hong wrote:
> My example is probably not very good. Modify a little bit.on one side(Router A):
> leftsubnets='10.100.0.0/16'
> rightsubnets='10.200.0.0/16'
>
> on the other side (Router B):
> leftsubnets='10.200.0.0/16'
> rightsubnets='10.100.0.0/24'
>
> When Router B proposes to Router A, since the requested rightsubnets is a subset of Router A's leftsubnets, we would expect it could
> work.
rightsubnet is NOT a subset of leftsubnet in this case. You have
10.100.0.0/16 which is 10.100.*.* which does not overlap with 10.200.0.*
If you really mean:
leftsubnets='10.100.0.0/16'
rightsubnets='10.100.0.0/24'
Then there truly IS an overlap. This situation works but on the end with
the smaller subnet (in this case right) you would also need to add a
passthrough to ensure 10.100.0.0/24 only traffic remains local:
conn passthrough
left=1.2.3.4
right=0.0.0.0
leftsubnet=10.100.0.0/24
rightsubnet=10.100.0.0/24
authby=never
type=passthrough
auto=route
This will exclude all 10.100.0.0/24 <-> 10.100.0.0.24 traffic from being
send to the 10.100.0.0/16 remote network.
This is explained at: https://libreswan.org/wiki/Subnet_extrusion
> The scenario we want to support is: say at beginning, Router A and B have exact match between 10.100.0.0/24 and 10.200.0.0/16, but later
> customer decide to expand Router A leftsubnets to 10.100.0.0/16. After Router A made the change, we want the communication between A and B
> still works without having to manually update Router B's configuration.
That is something completely different, and called "routing based VPN".
For that, please see: https://libreswan.org/wiki/Route-based_VPN_using_VTI
Paul
More information about the Swan
mailing list