[Swan] rightusbnets and leftsubnets - only a single network works

Viktor Keremedchiev vkeremedchiev at adaptavist.com
Fri May 3 13:32:48 UTC 2019


Hello,

I have tunnel between libreswan and Palo Alto. I have defined 2 leftsubets but only one is created. I don’t have access to the Palo Alto device

conn qqqqqqqqqqq
  authby=secret
  pfs=yes
  auto=start
  keyingtries=%forever
  keylife=1h
  ike=aes256-sha256-dh14
  esp=aes256-sha256
  ikelifetime=28800s
  type=tunnel
  left=%defaultroute
  leftid=162.2……...
  leftsubnets={ 10.64.30.5/32 }
  leftnexthop=%defaultroute
  leftsourceip=10.64.30.5
  aggressive=no
  right=4…...
  rightsubnets={ 10.128.0.0/9 10.65.0.0/16 }
  rightnexthop=%defaultroute
  rightsourceip=4……...
  dpddelay=10
  dpdtimeout=3600
  dpdaction=restart

this is in /etc/ipsec.conf
config setup
  listen=162…...
  dumpdir=/var/run/pluto/
  virtual_private=%v4:192.168.6.0/24
  protostack=netkey
  plutostderrlog=/tmp/pluto.log
  keep_alive=60

include /etc/ipsec.d/*.conf

Tunnel is established


ip xfrm policy
src 10.64.30.5/32 dst 10.128.0.0/9 
	dir out priority 1040374 ptype main 
	tmpl src 162…... dst 4.79.1.105
		proto esp reqid 16389 mode tunnel
src 10.128.0.0/9 dst 10.64.30.5/32 
	dir fwd priority 1040374 ptype main 
	tmpl src 4…….. dst 162………...
		proto esp reqid 16389 mode tunnel
src 10.128.0.0/9 dst 10.64.30.5/32 
	dir in priority 1040374 ptype main 
	tmpl src 4……... dst 162………...
		proto esp reqid 16389 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src ::/0 dst ::/0 proto ipv6-icmp type 135 
	dir out priority 1 ptype main 
src ::/0 dst ::/0 proto ipv6-icmp type 135 
	dir fwd priority 1 ptype main 
src ::/0 dst ::/0 proto ipv6-icmp type 135 
	dir in priority 1 ptype main 
src ::/0 dst ::/0 proto ipv6-icmp type 136 
	dir out priority 1 ptype main 
src ::/0 dst ::/0 proto ipv6-icmp type 136 
	dir fwd priority 1 ptype main 
src ::/0 dst ::/0 proto ipv6-icmp type 136 
	dir in priority 1 ptype main 

What might be causing that 10.128.0.0/9  is established but not 10.65.0.0/16?

Thank you
Viktor



More information about the Swan mailing list