<div dir="ltr">Paul,<div><br></div><div>I added your suggested config changes and still get the same xfrm policies as before. Here are the config's:</div><div><br></div><div>All of this has been with version: "Linux Libreswan 4.5 (XFRM) on 4.18.0-372.40.1.el8_6.x86_64"</div><div><br></div><div>Server:</div><div>----------</div><div><br></div><div>conn <a href="http://vpnserver.dl110-05.xyz.com">vpnserver.dl110-05.xyz.com</a><br>    left=192.168.43.55<br>    leftid="O=XYZ,CN=<a href="http://vpnserver.dl110-05.xyz.com">vpnserver.dl110-05.xyz.com</a>"<br>    leftsubnet=<a href="http://172.16.2.55/24">172.16.2.55/24</a><br>    leftrsasigkey=%cert<br>    leftcert=<a href="http://vpnserver.dl110-05.xyz.com">vpnserver.dl110-05.xyz.com</a><br>    leftsendcert=always<br>    leftsourceip=10.10.100.5<br>    leftmodecfgserver=yes<br>    narrowing=yes<br><br>    # Clients<br>    right=%any<br>    rightrsasigkey=%cert<br>    rightid=%fromcert<br>    rightca=%same<br>    rightaddresspool="172.16.111.10-172.16.111.99"<br></div><div>    ...</div><div><br></div><div>Client:</div><div>--------</div><div>conn <a href="http://vpnclient.dl110-00.xyz.com">vpnclient.dl110-00.xyz.com</a><br>    right=192.168.43.55<br>    rightid="O=XYZ,CN=<a href="http://vpnserver.dl110-05.xyz.com">vpnserver.dl110-05.xyz.com</a>"<br>    rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br>    rightrsasigkey=%cert<br><br>    left=172.16.1.10<br>    leftrsasigkey=%cert<br>    leftid="O=XYZ,CN=<a href="http://vpnclient.dl110-00.xyz.com">vpnclient.dl110-00.xyz.com</a>"<br>    leftcert=<a href="http://vpnclient.dl110-00.xyz.com">vpnclient.dl110-00.xyz.com</a><br>    leftupdown="/bin/<a href="http://ipsec_tunnel_tool_updown.xfrm.sh">ipsec_tunnel_tool_updown.xfrm.sh</a>"<br>    leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br>    leftmodecfgclient=yes<br>    narrowing=yes<br><br>    mark=5/0xffffffff<br>    vti-interface=vti01<br>    vti-routing=yes<br>    vti-shared=no<br></div><div>    ...</div><div><br></div><div>Regards,</div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><b>Brady Johnson</b><div>Principal Software Engineer</div><div><div>Telco Solutions & Enablement</div></div><div><a href="mailto:brady.johnson@redhat.com" target="_blank">brady.johnson@redhat.com</a><br></div><div><div><br></div><div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 14, 2023 at 4:58 PM Paul Wouters <<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, 14 Feb 2023, Brady Johnson wrote:<br>
<br>
> I tried your suggestion and I still get the same result. First I removed the "rightsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a>" from the server config, and then got "IKE_AUTH<br>
> response rejected Child SA with TS_UNACCEPTABLE" when starting the client, so I also removed "leftsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a>" from the client config, but the<br>
> client-side xfrm policies are the same as before.<br>
> <br>
> Here are the relevant configs:<br>
> <br>
> Server:<br>
> ---------<br>
>     ...<br>
>     # Clients<br>
>     right=%any<br>
>     rightrsasigkey=%cert<br>
>     rightid=%fromcert<br>
>     rightca=%same<br>
>     rightaddresspool="172.16.111.10-172.16.111.99"<br>
>     leftmodecfgserver=yes<br>
>     ...<br>
<br>
This requires narrowing=yes and leftsubnet=yoursubnet/mask<br>
<br>
> Client:<br>
> ---------<br>
>     ...<br>
>     left=172.16.1.10<br>
>     leftrsasigkey=%cert<br>
>     leftid="O=XYZ,CN=<a href="http://vpnclient.dl110-00.xyz.com" rel="noreferrer" target="_blank">vpnclient.dl110-00.xyz.com</a>"<br>
>     leftcert=<a href="http://vpnclient.dl110-00.xyz.com" rel="noreferrer" target="_blank">vpnclient.dl110-00.xyz.com</a><br>
>     leftupdown="/bin/<a href="http://ipsec_tunnel_tool_updown.xfrm.sh" rel="noreferrer" target="_blank">ipsec_tunnel_tool_updown.xfrm.sh</a>"<br>
>     leftmodecfgclient=yes<br>
>     ...<br>
<br>
This requires narrowing=yes and leftsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> and rightsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a>.<br>
That is, the client asks for "everything" and the server narrows it down<br>
to one IP/32 to 0/0.<br>
<br>
Paul<br>
<br>
</blockquote></div>