[strongSwan] Question on rightsubnet
Tobias Brunner
tobias at strongswan.org
Mon Jan 5 15:54:59 CET 2015
Hi Guy,
> I read that it's supposed to be the same behaviour:
> /Instead of specifying a subnet, /%dynamic/ can be used to replace it
> with the IKE address, having the same effect
> as omitting /left|rightsubnet/ completely/
What's written above is basically correct. There is no difference
between omitting rightsubnet and configuring rightsubnet=%dynamic in
regards to the proposed traffic selectors, at least unless protocol and
ports are defined (with [] syntax after %dynamic), which was the main
reason to introduce %dynamic.
But there is one issue that occurs when rightsubnet=%dynamic is used
together with leftsourceip=%config. The latter uses the unparsed
contents of left|righsubnet to determine the address family of the
virtual IP to request (i.e. whether %config means %config4 or %config6).
The heuristic used there is quite simple, if either left- or
rightsubnet is defined and contains a . assume IPv4 otherwise use IPv6
(if left|rightsubnet are not defined a : is searched in left, and if
found an IPv6 address is requested, otherwise IPv4 is assumed).
So with rightsubnet=%dynamic, which contains no dot, a virtual IPv6
address is requested, which your server probably does not provide, hence
the INTERNAL_ADDRESS_FAILURE.
To work around this issue define leftsourceip=%config4 on your client if
you want to use rightsubnet=%dynamic (or just omit rightsubnet).
Regards,
Tobias
More information about the Users
mailing list