[strongSwan] right/leftsubnet with 0.0.0.0/0 or some specific network
Johannes Hubertz
johannes at hubertz.de
Sun Jun 14 10:32:24 CEST 2015
Hi zhuyj and listreaders,
On 12.06.2015 10:54, zhuyj wrote:
> In the above ipsec.conf file, if I use right/leftsubnet with 0.0.0.0/0,
> the whole system can not work well.
> If I use right/leftsubnet with 10.1 or 2.0.0/16, the whole system can
> work well.
I've had similar experience and found exactly one working solution. I
had to cut out local sbnet from tunnels to the other side, f.e.
leftsubnet: 00.0.0.0/8
rightsubnet: 10.1.0.0/16
results in tunnels on the right side to the left like this:
0.0.0.0/5
8.0.0.0/7
10.0.0.0/16
10.2.0.0/15
10.4.0.0/14
10.8.0.0/13
10.16.0.0/12
10.32.0.0/11
10.64.0.0/10
10.128.0.0/9
11.0.0.0/8
12.0.0.0/6
16.0.0.0/4
32.0.0.0/3
64.0.0.0/2
128.0.0.0/1
These are exactly all the possible nets except the local subnet.
For calculating I use ipaddr.py, easily installed using
apt-get install python-ipaddr
apt-get install python3-ipaddr
May the source be with you.
Kind regards from Cologne, Germany
Johannes
--
Johannes Hubertz
Geschäftsführender Gesellschafter der hubertz-it-consulting GmbH
Sitz: Grengeler Mauspfad 111a, D-51147 Köln, European Common,
Handelsregister: Köln HRB55865, Ust.-ID Nr.: DE814465092
Tel.: +49 (0) 1607421564 Electronic Mail: it-consult at hubertz.de
GnuPG Fingerprint: a81f e2da f1f9 a0e3 be20 b2b0 005e a2e3 cff5 a06f
Ihr Service für Datenschutz und Informationssicherheit:
Verlässliche Netzwerke für vertrauliche Kommunikation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150614/af7d9cfb/attachment.pgp>
More information about the Users
mailing list