[strongSwan] Right hosts

Pedro José Bello Valiñas pedro.bello at tic.alten.es
Wed Jul 4 16:37:31 CEST 2012


Hi Andreas,
I only see the policy for the first one... :-(

I set:

rightsubnet=192.168.1.35/32,192.168.1.36/32

and

rightsubnet=192.168.1.35/32,192.168.1.36/32,

But the policies shown are for 192.168.1.35/32.

Regards,
Pedro.

-----Mensaje original-----
De: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Enviado el: miércoles, 04 de julio de 2012 11:57
Para: pedro.bello at tic.alten.es
CC: users at lists.strongswan.org
Asunto: Re: [strongSwan] Right hosts

Hi Pedro,

what's the output of the

   ip -s xfrm policy

command? You should see an IN/OUT/FORWARD policy for each of the two
subnets.

Regards

Andreas

On 07/04/2012 11:23 AM, Pedro José Bello Valiñas wrote:
> Hi again Andreas,
> Any other configuration needed for this to work?
> After establishing the communication using IKEv2, only the first IP on 
> rightsubnet parameter is being routed through the tunnel. The second 
> one is going out of the tunnel.
>
> rightsubnet=192.168.1.35/32,192.168.1.36/32
>
> Any ideas?
>
> Thanks again!!
>
>
> -----Mensaje original-----
> De: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Enviado el: jueves, 28 de junio de 2012 5:21
> Para: pedro.bello at tic.alten.es
> CC: users at lists.strongswan.org
> Asunto: Re: [strongSwan] Right hosts
>
> Hi Pedro,
>
> if Checkpoint supports IKEv2 then you could specify:
>
> conn all
>
> rightsubnet=192.168.1.35/32,192.168.1.36/32,192.168.1.37/32,192.168.1.
> 38/32,
> 192.168.1.39/32
>
> With IKEv1 only
>
> conn subnet
>       rightsubnet=192.168.1.34/29
>
> or 6 separate IPsec SAs are possible
>
> conn c1
>       rightsubnet=192.168.1.35/32
>       also=main
>       auto=start
>
> conn c6
>       rightsubnet=192.168.1.39/32
>       also=main
>       auto=start
>
> conn main
>       left=
>       leftsubnet=
>       right=
>       ...
>
> Regards
>
> Andreas
>
> On 06/27/2012 10:53 AM, Pedro José Bello Valiñas wrote:
>> Hi all,
>> We have a list of remote hosts with we want to communicate to through 
>> our tunnel (Strongswan - Checkpoint).
>> For example:
>> - 192.168.1.35/32
>> - 192.168.1.36/32
>> - 192.168.1.37/32
>> - 192.168.1.38/32
>> - 192.168.1.39/32
>>
>> Now, when we configure our Strongswan right conn parameter, what 
>> should we set there?
>>
>> Rightsubnet=192.168.1.34/29? (Altough 192.168.1.40/32 doesn't belong 
>> to the remote hosts we want to communicate through the tunnel?)
>>
>> Is there any way to specify a "closed" list of hosts?
>>
>> Regards,
>> Pedro.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications University of Applied
Sciences Rapperswil CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==








More information about the Users mailing list