[Swan] Routing multiple subnets
Paul Wouters
paul at nohats.ca
Mon May 27 02:47:08 UTC 2019
On Fri, 17 May 2019, Scott Whitten wrote:
> rightsubnet=10.3.5.0/24
> rightsourceip=10.3.5.254
> leftsubnet=192.168.2.0/24
> leftsourceip=192.168.2.251
> I'm connecting between Libreswan and a Cisco ASA.
>
> There are 2 other subnets I'd like to add to "rightsubnet". If I add them via: rightsubnets=10.3.5.0/24,10.3.10.0/24,10.3.22.0/24
>
> The subnets are added to the routing table but I can't ping anything. If I use just the config shown above, I can successfully ping 10.3.5.x hosts.
>
> What am I doing wrong?
if you add multiple suvnets, then you cannot specify sourceip=. You
should leave that out. If there is any traffic that you want to have
originating from the gateway itself to the remote subnets, and you
require a sourceip of an internal subnet that is present on the gateway
itself, you will need to add those routes (with "src x.x.x.x") yourself.
Although usually, if you have multiple subnets, those do not all have an
IP address on the gateway, and the gateway is really just a router for
those subnets.
check that you are excluding NAT for all those source-dest subnet
combinations. If you accidentally NAT those to a public IP, it will
no longer match the left-right subnets and will not be encrypted by
IPsec.
Paul
More information about the Swan
mailing list