[Swan] Overlapping traffic selectors and IKEv1
Paul Wouters
paul at nohats.ca
Tue Apr 24 14:36:05 UTC 2018
On Tue, 24 Apr 2018, Ivan Kuznetsov wrote:
> conn aCustomer
> connaddrfamily=ipv4
> type=tunnel
> auto=start
> authby=secret
> left=A.B.C.D
> leftsubnets=30.191.90.169/32,30.191.90.170/32
> right=E.F.G.H
> rightsubnets=30.201.192.24/32,30.201.192.34/32
> ikev2=no
>
> It need to add some customer addresses 30.201.x.y to tunnel. Customer IT
> service ask me to add the whole network 30.201.0.0/16 to rightsubnet, but for
> some reason does not remove the subset addresses:
>
> rightsubnets=30.201.192.24/32,30.201.192.34/32,30.201.0.0/16
>
> Will this configuration work properly for "old" addresses 30.201.192.24 and
> .34? What is the policy to choose one of overlapping traffic selectors - by
> longest prefix or someway other?
It should work.
The linux kernel uses priority numbers only, but libreswan does a
translation that maps longest prefix to a priority number.
Paul
More information about the Swan
mailing list