[Swan] Overlapping traffic selectors and IKEv1
Ivan Kuznetsov
kia at solvo.ru
Tue Apr 24 14:47:30 UTC 2018
Paul, thank you a lot!
Ivan
24.04.2018 17:36, Paul Wouters пишет:
> On Tue, 24 Apr 2018, Ivan Kuznetsov wrote:
>
>> conn aCustomer
>> connaddrfamily=ipv4
>> type=tunnel
>> auto=start
>> authby=secret
>> left=A.B.C.D
>> leftsubnets=30.191.90.169/32,30.191.90.170/32
>> right=E.F.G.H
>> rightsubnets=30.201.192.24/32,30.201.192.34/32
>> ikev2=no
>>
>> It need to add some customer addresses 30.201.x.y to tunnel. Customer
>> IT service ask me to add the whole network 30.201.0.0/16 to
>> rightsubnet, but for some reason does not remove the subset addresses:
>>
>> rightsubnets=30.201.192.24/32,30.201.192.34/32,30.201.0.0/16
>>
>> Will this configuration work properly for "old" addresses
>> 30.201.192.24 and .34? What is the policy to choose one of overlapping
>> traffic selectors - by longest prefix or someway other?
>
> It should work.
>
> The linux kernel uses priority numbers only, but libreswan does a
> translation that maps longest prefix to a priority number.
>
> Paul
More information about the Swan
mailing list