[Swan] Possible to setup multiple connections, partly behind NAT?
Paul Wouters
paul at nohats.ca
Fri Feb 16 17:33:38 EET 2024
On Thu, 15 Feb 2024, Phil Nightowl wrote:
>>> conn headq
>>> left=%defaultroute
>>> leftcert=remotehost1
>>> leftid=%fromcert
>>> right=198.51.100.33
>>> rightid=%fromcert
>>> leftsubnet=0.0.0.0/0
>>> rightsubnet=0.0.0.0/0
>>
>> What are you trying to do here? Where does 0.0.0.0/0 live? It cannot
>> live at both sides of the tunnel. Where would a packet for 1.2.3.4
>> need to go? To left or to right?
>
> I realised I did not answer this one. A packet for 1.2.3.4 should go out
> unencrypted, as this address is not equal to 198.51.100.33 (which would
> be the only host to whom ipsec conn is desired). Still sticking to
> host-to-host (client-to-server), no tunnel between subnets necessary.
>
> Some real tunnels (subnet-to-subnet) are to be added at some point in
> the future, but at the moment, I want to keep things as simple as
> possible to get the primary connections working at all.
>
> Should I remove the leftsubnet/rightsubnet options altogether?
Yes.
More information about the Swan
mailing list