[strongSwan] activate only a small part of a right subnet
catscrash at catscrash.de
catscrash at catscrash.de
Sat Jun 5 17:53:15 CEST 2021
Hi,
I have a strongswan gateway handling multiple connections with all kinds
of different encryption domains.
Now I have to set up a new connection, where the other side has set up
their encryption domain as 172.16.0.0/12. I only need to reach one Host
in this subnet, but I can't influence this encryption domain.
I want to prevent my system to route all traffic going to 172.16.0.0/12
through that tunnel, when I only need to reach this one host, especially
since there might be conflicts with other encryption domains of other
partners on this gateway.
I have set up the connection as detailed below. If I change the
rightsubnet to only use this one host, the tunnel will not properly come
up, as it does not match the partner settings anymore. Is there a way to
build the SA with the large subnet, but internally only add routes for a
smaller subnet? Thanks for any help!
conn s2s_xyz
type=tunnel
left=<<my_ip>>
leftsubnet=10.10.10.10/29
leftfirewall=yes
leftid=<<my_ip>>
right=<<partner_ip>>
rightsubnet=172.16.0.0/12
rightid=<<partner_ip>>
auto=route
compress=no
mobike=no
#Phase-1
keyexchange=ikev2
authby=secret
ike=aes256-sha256-modp2048
ikelifetime=24h
#Phase-2
keylife=1h
pfs=yes
auth=esp
esp=aes256-sha256-modp2048
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4225 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210605/54f70313/attachment.bin>
More information about the Users
mailing list