[Swan] Overlapping traffic selectors and IKEv1

Paul Wouters paul at nohats.ca
Tue Apr 24 14:36:05 UTC 2018

On Tue, 24 Apr 2018, Ivan Kuznetsov wrote:

> conn aCustomer
>         connaddrfamily=ipv4
>         type=tunnel
>         auto=start
>         authby=secret
>         left=A.B.C.D
>         leftsubnets=,
>         right=E.F.G.H
>         rightsubnets=,
>         ikev2=no
> It need to add some customer addresses 30.201.x.y to tunnel. Customer IT 
> service ask me to add the whole network to rightsubnet, but for 
> some reason does not remove the subset addresses:
>        rightsubnets=,,
> Will this configuration work properly for "old" addresses and 
> .34? What is the policy to choose one of overlapping traffic selectors - by 
> longest prefix or someway other?

It should work.

The linux kernel uses priority numbers only, but libreswan does a
translation that maps longest prefix to a priority number.


More information about the Swan mailing list