<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have the following IPv4 IKEv2 tunnel mode setup:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:black">192.168.10.0/24 --- GW ---|<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">192.168.11.0/24 --- GW ---|--- Strongswan GW --- Remote peer<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">192.168.12.0/24 --- GW ---|<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">192.168.13.0/24 --- GW ---|<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The remote peer has a policy defined as 192.168.0.0\16. On the Strongswan GW I define leftsubnet individually (I.e. 192.168.10.0/24 then 192.168.11.0/24 then 192.168.13.0/24 etc) and each SA establishes fine (this would be four separate
tests with different lefsubnet definitions for each network separately). These tests seem to indicate that narrowing is working to some degree. However, if I use the comma separated list (I.e. leftsubnet=192.168.10.0/24,192.168.11.0/24,192.168.12.0/24,192.168.13.0/24)
the proposal fails and none of the SAs establish (specifically due to the traffic selectors). It’s my impression that one of the major distinctions between IKEv1 and IKEv2 is to accommodate multiple subnets within the traffic selectors. So I would expect
the list of multiple subnets to work if narrowing was working the way it is defined. Is my understanding incorrect? If the remote peer fails to accommodate the list of multiple subnets is it non-conforming?
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Honestly, I don’t really see much value in narrowing to a single subnet like what worked initially (I.e. 192.168.10.0\24 <–> 192.168.0.0\16; 192.168.11.0\24 <–> 192.168.0.0\16). In order to get all 4 subnets to the remote peer I would
need to 1) define the remote peer with a policy of 192.168.0.0\16 and 2) define the Strongswan GW with a policy of 192.168.0.0\16. Which means there would be no narrowing going on. I’m at a loss trying to understand this.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any help you could provide would be appreciated. Thanks in advance.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Eric Johnson<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>