[Swan] Overlapping traffic selectors and IKEv1

Ivan Kuznetsov kia at solvo.ru
Tue Apr 24 13:08:02 UTC 2018


Hello

We have a running IPsec/IKEv1 tunnel with a customer. Part of configuration:

conn aCustomer
         connaddrfamily=ipv4
         type=tunnel
         auto=start
         authby=secret
         left=A.B.C.D
         leftsubnets=30.191.90.169/32,30.191.90.170/32
         right=E.F.G.H
         rightsubnets=30.201.192.24/32,30.201.192.34/32
         ikev2=no

It need to add some customer addresses 30.201.x.y to tunnel. Customer IT 
service ask me to add the whole network 30.201.0.0/16 to rightsubnet, 
but for some reason does not remove the subset addresses:

         rightsubnets=30.201.192.24/32,30.201.192.34/32,30.201.0.0/16

Will this configuration work properly for "old" addresses 30.201.192.24 
and .34? What is the policy to choose one of overlapping traffic 
selectors - by longest prefix or someway other?

Customer side equipment is some Cisco router, I don't know details. Our 
side is libreswan 3.21

Regards, Ivan Kuznetsov
SOLVO ltd.

P.S. 30.191.x.y and 30.201.x.y are really local. Don't ask me why the 
customer choose to use them :)


More information about the Swan mailing list