[Swan] Possible to setup multiple connections, partly behind NAT?

[Paul Wouters]

On Fri, 9 Feb 2024, Phil Nightowl wrote:

>> Without these, you would only match a single left and right IP/32, and
>> when using right=%any that would become 0.0.0.0/32 which is a single IP
>> address.
>
> Please forgive me, I still don't get it, To me, it seems that even if those
> subnets are single IPs (/32), they're still ANY IPs.

It might not really make sense, but it is how it works.

> on a client machine would allow me to SSH (tcp/22) from that particular
> host to %any other, perhaps just not allowing to passthrough SSH to any
> further hosts on the same subnet that the right participant might be
> forwarding (routing, NATting, ...) to or forwarding to the right
> participant for others. Which is obviously not the case, according to
> what you write.

I understand why that makes logical sense.

> Now I am going to get rid of opportunistic encryption for the ipsec part
> itself. On host.privlan I just removed the policy file and replaced
> right=%opportunisticgroup with right=192.168.1.253. Everything works.
> The next step would be to adjust right= on server.privlan accordingly -
> but to what? Obviously, I could use right=%any - but I will need this
> option in the future to configure a different connection for the
> roadwarriors. Which brings me back to the question of how to distinguish
> between those connections?

You can have multiple connections with right=%any and do matching on
rightid= to select between them.

Paul