Andreas,<div><br></div><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><div>Thanks for that. Unfortunately, all of these abstract labels are making my head hurt. Let's try some real numbers.</div>
<div><br></div><div>Host A and Host B have local IP addresses in the 192.16.50.xxx subnet.</div><div><br></div><div>The SeGW has an unsecure IP address (i.e. on eth0) in the 172.16.xxx.xxx subnet and a secure IP address (i.e. on eth1) in the 172.17.xxx.xxx subnet.</div>
<div><br></div><div>The SeGW is configured to hand out virtual IP addresses to Hosts A and B using the 10.15.xxx.xxx subnet.</div><div><br></div><div>So, we want Host A to be able to talk to other entities in the 10.15.xxx.xxx subnet using IPsec (i.e. Host A <-> Host B via SeGW) and ALSO we want Host A and Host B to be able to talk to entities on the secure side of the SeGW (i.e. other servers on the 172.17.xxx.xxx subnet).</div>
<div><br></div><div>So, currently, on the SeGW we have:</div><div><br></div></blockquote><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">
<div>conn a-b-gw</div></blockquote></blockquote><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">
<blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><div>left=<a href="http://segw.foobar.com">segw.foobar.com</a></div><div>leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></div>
<div>leftfirewall=yes</div><div>rightsourceip=<a href="http://10.15.0.0/24">10.15.0.0/24</a></div></blockquote></blockquote><br>Does this make sense ?<br><br>Regards,<br><br></blockquote><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">
<blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">Graham.</blockquote></blockquote><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">
<br></blockquote><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;"><blockquote class="webkit-indent-blockquote" style="margin: 0 0 0 40px; border: none; padding: 0px;">
<br><br></blockquote></blockquote></blockquote><div><br><div class="gmail_quote">On 4 March 2011 10:58, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">this is an easy one:<br>
<br>
ipsec.conf of host A:<br>
<br>
conn a-b<br>
left=IP_A<br>
right=IP_GW<br>
rightsubnet=IP_B/32<br>
<br>
ipsec.conf of gateway GW:<br>
<br>
conn a-gw<br>
left=IP_GW<br>
leftsubnet=IP_B<br>
right=IP_A<br>
<br>
conn b-gw<br>
left=IP_GW<br>
leftsubnet=IP_A<br>
right=IP_B<br>
<br>
ipsec.conf of host B<br>
<br>
conn b-a<br>
left=IP_B<br>
right=IP_GW<br>
rightsubnet=IP_A/32<br>
<br></blockquote></div></div>