[Openswan Users] specifying remote subnets and connecting to individual hosts on a remote vpn

[Frank Wilson]

Hello,

I'm trying to configure an ispec tunnel with a remote site.
The remote site will only let me connect to these ips on the
remote vpn. 

10.130.245.105
10.130.245.106
10.130.245.107

And,

10.120.100.105
10.120.100.106
10.120.100.107

If I specify the remote subnets too wide, the vpn gateway
(a CISCO ASA 5520) will refuse to setup the phase2 connection.
So for instance specifying 10.130.245.0/24 as a right subnet
Will cause phase2 to hang before it completes.
So I try 10.130.245.105/30 and 10.120.100.105/30 as in the following
config, but I still have doubts.

conn remote_site_subnet_a
   rightsubnet=10.130.245.105/30
   also=remote_site

conn remote_site_subnet_b
   rightsubnet=10.120.100.105/30
   also=remote_site

conn remote_site
   left=aa.bb.cc.dd # our public ip
   right=ww.xx.yy.zz # remote site vpn gateway (public ip)
   authby=secret
   keylife=3600s
   ikelifetime=28000s
   ike=aes128-sha1
   esp=aes128-sha1
   pfs=no
   auto=add

This allows phase2 to complete, but I still don't get replies to pings.
So, something must still be wrong. I know that when I ping a remote host
on the vpn (e.g. 10.120.100.105) traffic leaves our network, properly
encrypted, 
bound for the remote vpn gateway via our outbound interface.

The problem I feel with the /30 subnets is that perhaps the last address 
(107) is reserved for broadcasts? That would mean the third ip is not 
addressed. I know that using /29 is too wide since using it also causes 
phase2 to fail.

Should I be setting up a connection for each individual vpn host.
That would mean a total of 7 conn entries. Is there a better way to do
that? In particular is there a way to make all the connections come up
at the same time (without resorting to auto=start).

Thanks,

Frank