[Swan] [External] : Re: Question on opportunistic ipsec for multiple interfaces on same subnet

[Paul Wouters]

On Tue, 29 Aug 2023, Mamta Gambhir wrote:


> 
>  
> 
>  
> 
> I was hoping  above should be working or will need changes too. I am using equivalent of libreswan 5.0.
> 
> Though your suggestion of having multiple private (private/private2)sections will be most appropriate I wasn’t aware of that. Thank
> you.I am assuming I  will need private2 policies file too.
> 
> I am open to try and test the changes as needed in programs/pluto/foodgroups.c to make this work as our goal is to get above going.

Actually, looking at the code it seems the hardcoded names for
foodgroups has completely vanished.

So I think you can do this:

conn private-or-clear
        authby=null
        leftid=%null
        rightid=%null
        left=192.168.0.1
        right=%opportunisticgroup
        negotiationshunt=passthrough
        failureshunt=passthrough
        ikev2=insist
        auto=route
        type=transport

conn private-or-clear-2
        authby=null
        leftid=%null
        rightid=%null
        left=192.168.0.2
        right=%opportunisticgroup
        negotiationshunt=passthrough
        failureshunt=passthrough
        ikev2=insist
        auto=route
        type=transport

# /etc/ipsec.d/policies/private-or-clear
192.168.0.0/24

# /etc/ipsec.d/policies/private-or-clear-2
192.168.0.0/24


Let me know if that works?

Paul