Hello Tobias,<div><br></div><div>I need your help for clarifying 2-3 queries below with reference to your advice on adding routes in table 220..</div><div><br></div><div>1. with policies based on ports/protocols used, Would the routes need to be added still, if we say disable use of table 220 by applying the option "install_routes=no" in charon.conf???</div><div><br></div><div>2. Iam unable recall precisely now (as i write)...does "swanctl.conf" require table-220 to be used (by default)???...or rather the question would be, if i use swanctl.conf for the tunnel with ports/protocol policies, would i need to add routes in table-220????</div><div><br></div><div>3. Same as above, can we use install_routes=no with swantctl and avoid adding routes for the remote-subnets???</div><div><br></div><div>thanks & regards</div><div>Rajiv</div><div><br><br>On Wednesday, September 2, 2020, Makarand Pradhan <<a href="mailto:MakarandPradhan@is5com.com">MakarandPradhan@is5com.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello All,<br>
<br>
I am trying to restrict traffic entering the tunnel using:<br>
<br>
left|rightsubnet = <ip subnet>[[<proto/port>]][,...]<br>
<br>
To test this feature I am trying to restrict ICMP traffic.<br>
<br>
ipsec.conf:<br>
rightsubnet=<a href="http://192.168.9.0/24[icmp],192.168.51.0/24[icmp]" target="_blank">192.168.9.0/24[<wbr>icmp],192.168.51.0/24[icmp]</a><br>
left=172.16.31.2<br>
leftid=172.16.31.2<br>
leftsubnet=<a href="http://10.10.9.0/24[icmp],192.168.61.0/24[icmp]" target="_blank">10.10.9.0/24[icmp],<wbr>192.168.61.0/24[icmp]</a><br>
<br>
The tunnels come up and look ok:<br>
m1{3}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c988747b_i c0147d49_o<br>
m1{3}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 96 minutes<br>
m1{3}: <a href="http://10.10.9.0/24[icmp]" target="_blank">10.10.9.0/24[icmp]</a> <a href="http://192.168.61.0/24[icmp]" target="_blank">192.168.61.0/24[icmp]</a> === <a href="http://192.168.9.0/24[icmp]" target="_blank">192.168.9.0/24[icmp]</a> <a href="http://192.168.51.0/24[icmp]" target="_blank">192.168.51.0/24[icmp]</a><br>
<br>
All the same, the packets are not pushed into the tunnel:<br>
<br>
ping 192.168.9.3 -I 10.10.9.4<br>
PING 192.168.9.3 (192.168.9.3) from 10.10.9.4 : 56(84) bytes of data.<br>
ping: sendmsg: Network is unreachable<br>
ping: sendmsg: Network is unreachable<br>
<br>
The ip xfrm policy seems to be correct:<br>
src <a href="http://192.168.9.0/24" target="_blank">192.168.9.0/24</a> dst <a href="http://10.10.9.0/24" target="_blank">10.10.9.0/24</a> proto icmp <br>
dir fwd priority 375167 ptype main <br>
tmpl src 172.16.31.1 dst 172.16.31.2<br>
proto esp reqid 1 mode tunnel<br>
<br>
Would highly appreciate if anyone can point the error in my configuration?<br>
<br>
Thanks.<br>
<br>
Kind rgds,<br>
Makarand Pradhan<br>
Senior Software Engineer.<br>
iS5 Communications Inc.<br>
5895 Ambler Dr,<br>
Mississauga, Ontario<br>
L4W 5B7<br>
Main Line: +1-844-520-0588 Ext. 129<br>
Direct Line: +1-289-724-2296<br>
Cell: +1-226-501-5666<br>
Fax:+1-289-401-5206<br>
Email: <a href="mailto:makarandpradhan@is5com.com">makarandpradhan@is5com.<wbr>com</a><br>
Website: <a href="http://www.iS5Com.com" target="_blank">www.iS5Com.com</a><br>
<br>
<br>
Confidentiality Notice: <br>
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.<br>
<br>
</blockquote></div>