[strongSwan] Question on rightsubnet

Guy Maman mamang at porticor.com
Wed Jan 7 12:53:31 CET 2015


Thanks Tobias

It's was very helpful

Guy

On 05/01/15 16:54, Tobias Brunner wrote:
> Hi Guy,
>
>> I read that it's supposed to be the same behaviour:
>> /Instead of specifying a subnet, /%dynamic/ can be used to replace it
>> with the IKE address, having the same effect
>> as omitting /left|rightsubnet/ completely/
> What's written above is basically correct.  There is no difference
> between omitting rightsubnet and configuring rightsubnet=%dynamic in
> regards to the proposed traffic selectors, at least unless protocol and
> ports are defined (with [] syntax after %dynamic), which was the main
> reason to introduce %dynamic.
>
> But there is one issue that occurs when rightsubnet=%dynamic is used
> together with leftsourceip=%config.  The latter uses the unparsed
> contents of left|righsubnet to determine the address family of the
> virtual IP to request (i.e. whether %config means %config4 or %config6).
>   The heuristic used there is quite simple, if either left- or
> rightsubnet is defined and contains a . assume IPv4 otherwise use IPv6
> (if left|rightsubnet are not defined a : is searched in left, and if
> found an IPv6 address is requested, otherwise IPv4 is assumed).
> So with rightsubnet=%dynamic, which contains no dot, a virtual IPv6
> address is requested, which your server probably does not provide, hence
> the INTERNAL_ADDRESS_FAILURE.
>
> To work around this issue define leftsourceip=%config4 on your client if
> you want to use rightsubnet=%dynamic (or just omit rightsubnet).
>
> Regards,
> Tobias
>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3748 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150107/5749dd44/attachment.bin>


More information about the Users mailing list