[Openswan Users] rightsubnet limitation

[Fabio Corazza]

Hi there,
 I have a problem between Openswan 2.4.5 NETKEY and Cisco.

This is the ipsec.conf relevant configuration:


conn customer
        left="213.79.xx.xx"
        leftsubnet="192.168.2.193/32"
        esp="3des-md5"
        auth="esp"
        authby="secret"
        ikelifetime="28880"
        keyexchange="ike"
        pfs="no"
        keylife="3600"
        right="216.xx.xx.xx"
        rightsubnet="82.xx.xx.30/32"
        auto="add"
        compress="no"
        type="tunnel"
        ike="3des-md5-modp1024"


This is the configuration needed to work. There's an issue with the
"rightsubnet" parameter, you can just specify a subnet or a single host.
The Cisco wants this parameter to be configured as the singlehost in the
above configuration, while in the Cisco access list there are more than
1 IP allowed to access (also from different class C subnets).

I've asked the customer to allow us for the entire subnet but that's not
possible for security reasons. In other words, I can't put any subnet in
the "rightsubnet" parameter but putting just one host is incorrect either.

I've tried then to add manually routes with iproute2 (ip xfrm policy add
...) after the tunnel has been established.

While the routing seems to be correct after adding those xfrm policies
(I see ESP packets going to the endpeer from my remote host -
192.168.2.193/32) I don't get any reply, BUT ACLs on the Cisco are
configured to allow this.

So really, other than adding a subnet, is there a way to write access
policies for single IPs?


P.S.: probably this is a Cisco limitation, because the "rightparameter"
value for the IOS is taken from the first IP in the access list, which
causes the whole problem.


Please help me :-)



Thanks,
Fabio