[Openswan Users] help:about exact IP range configuration on
super-freeswan
Paul Wouters
paul at xtdnet.nl
Sat Jan 17 04:02:44 CET 2004
On Sat, 17 Jan 2004, swcims wrote:
> Can super-freeswan support exact IP range configuration in local/remote subnet ? I find that I only can write "left(or right)subnet=192.168.1.0/24".But exact IP range,such as 192.168.1.10--192.168.1.45 in the left or right subnet,is required by some customers.Also,I can't connect super-freeswan on Redhat linux with Linksys VPN router,when the latter configure exact IP range.
What you are trying to do is export a non-logical subnet. A subnet of
192.168.1.10--192.168.1.45 seems like a manager or salesguy decision. It is
not a technical decision.
You can somewhat address this issue by using multiple tunnels for "proper"
subnets. Though again, you have picked ackward numbers. Since you are using
private space anyway, I suggest you try to make subnets on better fitting
subnet boundaries, such as 192.168.1.8 and 192.168.1.48. Once you pick sane
boundaries, you can easily write the tunnel subnet definitions, eg:
rightsubnet=192.168.1.8/29 to cover 192.168.1.8 - 192.168.1.15
and perhaps a second tunnel to the same place with:
rightsubnet=192.168.1.16/28 to cover 192.168.1.16 - 192.168.1.31
If you are starting from scratch on some big chunk of IP space, say a /24
like 192.168.1/0/24, then I recommend using one half of the space for smaller
subnets, and the other half of the space for bigger subnets.
But your current scheme will get you in a lot of trouble, even if you would
manage to fix the freeswan issues.
Paul
More information about the Users
mailing list