[Swan] Possible to setup multiple connections, partly behind NAT?
Phil Nightowl
phil.nightowl at gmail.com
Fri Feb 16 00:01:30 EET 2024
> > conn headq
> > left=%defaultroute
> > leftcert=remotehost1
> > leftid=%fromcert
> > right=198.51.100.33
> > rightid=%fromcert
> > leftsubnet=0.0.0.0/0
> > rightsubnet=0.0.0.0/0
>
> What are you trying to do here? Where does 0.0.0.0/0 live? It cannot
> live at both sides of the tunnel. Where would a packet for 1.2.3.4
> need to go? To left or to right?
I realised I did not answer this one. A packet for 1.2.3.4 should go out
unencrypted, as this address is not equal to 198.51.100.33 (which would
be the only host to whom ipsec conn is desired). Still sticking to
host-to-host (client-to-server), no tunnel between subnets necessary.
Some real tunnels (subnet-to-subnet) are to be added at some point in
the future, but at the moment, I want to keep things as simple as
possible to get the primary connections working at all.
Should I remove the leftsubnet/rightsubnet options altogether?
Phil
More information about the Swan
mailing list