[Openswan Users] rightsubnet limitation

Fabio Corazza fabio at newbay.com
Wed Jun 14 16:10:03 CEST 2006

Andy wrote:
> On Tue, 2006-06-13 at 16:27 +0100, Fabio Corazza wrote:
>> This is the configuration needed to work. There's an issue with the
>> "rightsubnet" parameter, you can just specify a subnet or a single host.
>> The Cisco wants this parameter to be configured as the singlehost in the
>> above configuration, while in the Cisco access list there are more than
>> 1 IP allowed to access (also from different class C subnets).
> Shouldn't be a problem. If the Cisco has multiple access list entries
> for the crypto map, each entry will map to 1 ESP SA. Doesn't matter if
> they are entire subnets or single hosts - really a single host,
> specified as a /32 address, is just a special case of a subnet.
> So just duplicate the config you have changing only the rightsubnet (and
> the conn name, of course) so you have 1 conn for each ACL entry. 
> Because left= and right= are the same in each conn, only 1 ISAKMP SA
> will be used, but you'll get 1 ESP SA for each conn.
> Hope that's clear....

Thank you very much Andy, that did the trick.
Really appreciated! :-)


More information about the Users mailing list