[strongSwan] Road warriors and site-to-site ping each other
Hoggins!
hoggins at radiom.fr
Mon Mar 13 19:05:31 CET 2017
Thank you Noel, that's what I thought...
Le 13/03/2017 à 17:39, Noel Kuntze a écrit :
> On 12.03.2017 19:05, Hoggins! wrote:
>> Now I want to have road warriors connected on gateway B. That's cool
>> : they get a dynamic IP address on 192.168.22.0/24 and they can talk to
>> hosts on 192.168.55.0/24. Great.
> TL;DR:
> Use a different subnet.
>
> Long story:
>
> You've got conflicting subnets which you can't easily solve, because
> the TS is (Site A) 192.168.22.0/24 == 192.168.55.0/24 (B)
> and the roadwarrior's conflicting subnet is 192.168.22.0/24.
> The TS of the tunnel does not permit transmission of packets from site B to site A
> where the destination and source are in 192.168.22.0/24.
>
> Hosts on site A wouldn't be able to figure out if a host in 192.168.22.0/24
> is on the link (and deliver the packet locally by directly addressing the host on
> layer two) or reachable over gw A.
>
> gw A wouldn't know what host in 192.168.22.0/24 is local and which
> is attached to site B via a roadwarrior connection.
>
... so if my gateway A keeps 192.168.22.0/24 as its "real" network, but
gets – let's say – a TS 192.168.33.0/24 == 192.168.55.0/24, my road
warriors would also be on 192.168.33.0/24 (if configured accordingly, of
course), and be able to talk to gateway A.
Now... (as you understood from my previous messages, there are many
basic things that I don't know)
I would like my road warriors on 192.168.33.0/24 to contact hosts on
192.168.22.0/24 and vice-versa. Can I do this by adding the
192.168.22.0/24 subnet somewhere ? Like
leftsubnet=192.168.22.0/24,192.168.33.0/24 on host A (but then, how will
the dynamic IP address will be chosen amongst these two networks ?
Should I order the declarations so that the first one is the one in
which the dyn IP will be attributed ?), and
rightsubnet=192.168.22.0/24,192.168.33.0/24,192.168.55.0/24 or something
like that ?
Don't judge me, I'm playing with things I don't understand well.
Thanks anyway for all this help.
Hoggins!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170313/4c90b7f4/attachment.sig>
More information about the Users
mailing list