<div dir="ltr">Paul,<div><br></div><div>Thanks for the info.</div><div><br></div><div>I tried your suggestion and I still get the same result. First I removed the "rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a>" from the server config, and then got "IKE_AUTH response rejected Child SA with TS_UNACCEPTABLE" when starting the client, so I also removed "leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a>" from the client config, but the client-side xfrm policies are the same as before.</div><div><br></div><div>Here are the relevant configs:</div><div><br></div><div>Server:</div><div>---------</div><div>    ...</div><div>    # Clients<br>    right=%any<br>    rightrsasigkey=%cert<br>    rightid=%fromcert<br>    rightca=%same<br>    rightaddresspool="172.16.111.10-172.16.111.99"<br></div><div>    leftmodecfgserver=yes<br></div><div>    ...</div><div><br></div><div>Client:</div><div>---------</div><div>    ...<br></div><div>    left=<span style="color:rgb(0,0,0);white-space:pre-wrap">172.16.1.10</span><br>    leftrsasigkey=%cert<br>    leftid="O=XYZ,CN=<a href="http://vpnclient.dl110-00.xyz.com">vpnclient.dl110-00.xyz.com</a>"<br>    leftcert=<a href="http://vpnclient.dl110-00.xyz.com">vpnclient.dl110-00.xyz.com</a><br>    leftupdown="/bin/<a href="http://ipsec_tunnel_tool_updown.xfrm.sh">ipsec_tunnel_tool_updown.xfrm.sh</a>"<br>    leftmodecfgclient=yes<br></div><div>    ...<br></div><div><br></div><div><br></div><div>Regards,</div><div><br></div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><b>Brady Johnson</b><div>Principal Software Engineer</div><div><div>Telco Solutions & Enablement</div></div><div><a href="mailto:brady.johnson@redhat.com" target="_blank">brady.johnson@redhat.com</a><br></div><div><div><br></div><div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 14, 2023 at 3:40 PM Paul Wouters <<a href="mailto:paul@nohats.ca">paul@nohats.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Tue, 14 Feb 2023, Brady Johnson wrote:<br>
<br>
> Why do the policies get created differently?<br>
<br>
I think a configuration issue.<br>
<br>
> Server config with address pool:<br>
> -------------------------------------------<br>
> <br>
> conn <a href="http://vpnserver.dl110-05.xyz.com" rel="noreferrer" target="_blank">vpnserver.dl110-05.xyz.com</a><br>
>     # right is remote(client), left is local(server)<br>
>     left=192.168.43.55<br>
>     leftid="O=XYZ,CN=<a href="http://vpnserver.dl110-05.xyz.com" rel="noreferrer" target="_blank">vpnserver.dl110-05.xyz.com</a>"<br>
>     leftsubnet=<a href="http://172.16.2.55/24" rel="noreferrer" target="_blank">172.16.2.55/24</a><br>
>     leftrsasigkey=%cert<br>
>     leftcert=<a href="http://vpnserver.dl110-05.xyz.com" rel="noreferrer" target="_blank">vpnserver.dl110-05.xyz.com</a><br>
>     leftsendcert=always<br>
> <br>
>     # Clients<br>
>     right=%any<br>
>     rightrsasigkey=%cert<br>
>     rightid=%fromcert<br>
>     rightca=%same<br>
>     rightsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
>     rightaddresspool="172.16.111.10-172.16.111.99"<br>
<br>
here rightsubnet should not be used because rightaddresspool is in use.<br>
The right (client) subnet is supposed to be the 1 IP address.<br>
It probably ignored rightsubnet= for you.<br>
<br>
> Server config with static client IP:<br>
> --------------------------------------------<br>
> <br>
> conn <a href="http://vpnserver.dl110-05.xyz.com" rel="noreferrer" target="_blank">vpnserver.dl110-05.xyz.com</a><br>
>     left=192.168.43.55<br>
>     leftid="O=XYZ,CN=<a href="http://vpnserver.dl110-05.xyz.com" rel="noreferrer" target="_blank">vpnserver.dl110-05.xyz.com</a>"<br>
>     leftsubnet=<a href="http://172.16.2.55/24" rel="noreferrer" target="_blank">172.16.2.55/24</a><br>
>     leftrsasigkey=%cert<br>
>     leftcert=<a href="http://vpnserver.dl110-05.xyz.com" rel="noreferrer" target="_blank">vpnserver.dl110-05.xyz.com</a><br>
>     leftsendcert=always<br>
> <br>
>     # Clients<br>
>     right=%any<br>
>     rightrsasigkey=%cert<br>
>     rightid=%fromcert<br>
>     rightca=%same<br>
>     rightsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a><br>
<br>
Now <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> lives on the client, not the server. So likely your server<br>
is losing internet connectivity. You would want to use rightsubnet=<a href="http://172.16.111.10/32" rel="noreferrer" target="_blank">172.16.111.10/32</a><br>
<br>
Paul<br>
<br>
</blockquote></div>