[Swan] [External] : Re: Question on opportunistic ipsec for multiple interfaces on same subnet
Paul Wouters
paul at nohats.ca
Wed Aug 30 02:17:04 EEST 2023
On Tue, 29 Aug 2023, Mamta Gambhir wrote:
>
>
>
>
>
> I was hoping above should be working or will need changes too. I am using equivalent of libreswan 5.0.
>
> Though your suggestion of having multiple private (private/private2)sections will be most appropriate I wasn’t aware of that. Thank
> you.I am assuming I will need private2 policies file too.
>
> I am open to try and test the changes as needed in programs/pluto/foodgroups.c to make this work as our goal is to get above going.
Actually, looking at the code it seems the hardcoded names for
foodgroups has completely vanished.
So I think you can do this:
conn private-or-clear
authby=null
leftid=%null
rightid=%null
left=192.168.0.1
right=%opportunisticgroup
negotiationshunt=passthrough
failureshunt=passthrough
ikev2=insist
auto=route
type=transport
conn private-or-clear-2
authby=null
leftid=%null
rightid=%null
left=192.168.0.2
right=%opportunisticgroup
negotiationshunt=passthrough
failureshunt=passthrough
ikev2=insist
auto=route
type=transport
# /etc/ipsec.d/policies/private-or-clear
192.168.0.0/24
# /etc/ipsec.d/policies/private-or-clear-2
192.168.0.0/24
Let me know if that works?
Paul
More information about the Swan
mailing list