[Swan] Overlapping traffic selectors and IKEv1
Ivan Kuznetsov
kia at solvo.ru
Tue Apr 24 13:08:02 UTC 2018
Hello
We have a running IPsec/IKEv1 tunnel with a customer. Part of configuration:
conn aCustomer
connaddrfamily=ipv4
type=tunnel
auto=start
authby=secret
left=A.B.C.D
leftsubnets=30.191.90.169/32,30.191.90.170/32
right=E.F.G.H
rightsubnets=30.201.192.24/32,30.201.192.34/32
ikev2=no
It need to add some customer addresses 30.201.x.y to tunnel. Customer IT
service ask me to add the whole network 30.201.0.0/16 to rightsubnet,
but for some reason does not remove the subset addresses:
rightsubnets=30.201.192.24/32,30.201.192.34/32,30.201.0.0/16
Will this configuration work properly for "old" addresses 30.201.192.24
and .34? What is the policy to choose one of overlapping traffic
selectors - by longest prefix or someway other?
Customer side equipment is some Cisco router, I don't know details. Our
side is libreswan 3.21
Regards, Ivan Kuznetsov
SOLVO ltd.
P.S. 30.191.x.y and 30.201.x.y are really local. Don't ask me why the
customer choose to use them :)
More information about the Swan
mailing list