[strongSwan] right/leftsubnet with 0.0.0.0/0 or some specific network

Johannes Hubertz johannes at hubertz.de
Sun Jun 14 10:32:24 CEST 2015


Hi zhuyj and listreaders,

On 12.06.2015 10:54, zhuyj wrote:
> In the above ipsec.conf file, if I use right/leftsubnet with 0.0.0.0/0,
> the whole system can not work well.
> If I use right/leftsubnet with 10.1 or 2.0.0/16, the whole system can
> work well.

I've had similar experience and found exactly one working solution. I
had to cut out local sbnet from tunnels to the other side, f.e.

leftsubnet: 00.0.0.0/8
rightsubnet: 10.1.0.0/16

results in tunnels on the right side to the left like this:
0.0.0.0/5
8.0.0.0/7
10.0.0.0/16
10.2.0.0/15
10.4.0.0/14
10.8.0.0/13
10.16.0.0/12
10.32.0.0/11
10.64.0.0/10
10.128.0.0/9
11.0.0.0/8
12.0.0.0/6
16.0.0.0/4
32.0.0.0/3
64.0.0.0/2
128.0.0.0/1


These are exactly all the possible nets except the local subnet.

For calculating I use ipaddr.py, easily installed using

apt-get install python-ipaddr
apt-get install python3-ipaddr

May the source be with you.

Kind regards from Cologne, Germany

Johannes


-- 
Johannes Hubertz

Geschäftsführender Gesellschafter der hubertz-it-consulting GmbH
Sitz: Grengeler Mauspfad 111a,  D-51147 Köln,  European Common,
Handelsregister:  Köln HRB55865,    Ust.-ID Nr.:  DE814465092
Tel.: +49 (0) 1607421564      Electronic Mail: it-consult at hubertz.de
GnuPG Fingerprint: a81f e2da f1f9 a0e3 be20 b2b0 005e a2e3 cff5 a06f

Ihr Service für Datenschutz und Informationssicherheit:
Verlässliche Netzwerke für vertrauliche Kommunikation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150614/af7d9cfb/attachment.pgp>


More information about the Users mailing list