[strongSwan] Right hosts

Andreas Steffen andreas.steffen at strongswan.org
Wed Jul 4 12:57:28 CEST 2012


Hi Pedro,

what's the output of the

   ip -s xfrm policy

command? You should see an IN/OUT/FORWARD policy for each of
the two subnets.

Regards

Andreas

On 07/04/2012 11:23 AM, Pedro José Bello Valiñas wrote:
> Hi again Andreas,
> Any other configuration needed for this to work?
> After establishing the communication using IKEv2, only the first IP on
> rightsubnet parameter is being routed through the tunnel. The second one is
> going out of the tunnel.
>
> rightsubnet=192.168.1.35/32,192.168.1.36/32
>
> Any ideas?
>
> Thanks again!!
>
>
> -----Mensaje original-----
> De: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Enviado el: jueves, 28 de junio de 2012 5:21
> Para: pedro.bello at tic.alten.es
> CC: users at lists.strongswan.org
> Asunto: Re: [strongSwan] Right hosts
>
> Hi Pedro,
>
> if Checkpoint supports IKEv2 then you could specify:
>
> conn all
>
> rightsubnet=192.168.1.35/32,192.168.1.36/32,192.168.1.37/32,192.168.1.38/32,
> 192.168.1.39/32
>
> With IKEv1 only
>
> conn subnet
>       rightsubnet=192.168.1.34/29
>
> or 6 separate IPsec SAs are possible
>
> conn c1
>       rightsubnet=192.168.1.35/32
>       also=main
>       auto=start
>
> conn c6
>       rightsubnet=192.168.1.39/32
>       also=main
>       auto=start
>
> conn main
>       left=
>       leftsubnet=
>       right=
>       ...
>
> Regards
>
> Andreas
>
> On 06/27/2012 10:53 AM, Pedro José Bello Valiñas wrote:
>> Hi all,
>> We have a list of remote hosts with we want to communicate to through
>> our tunnel (Strongswan - Checkpoint).
>> For example:
>> - 192.168.1.35/32
>> - 192.168.1.36/32
>> - 192.168.1.37/32
>> - 192.168.1.38/32
>> - 192.168.1.39/32
>>
>> Now, when we configure our Strongswan right conn parameter, what
>> should we set there?
>>
>> Rightsubnet=192.168.1.34/29? (Altough 192.168.1.40/32 doesn't belong
>> to the remote hosts we want to communicate through the tunnel?)
>>
>> Is there any way to specify a "closed" list of hosts?
>>
>> Regards,
>> Pedro.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==






More information about the Users mailing list