[Openswan Users] Openswan with NETKEY and monitoring data
Willie Gillespie
wgillespie+openswan at es2eng.com
Fri Apr 8 18:36:17 EDT 2011
On 4/8/2011 9:22 AM, Mark Dalton wrote:
> I just need a pointer in the right direction, I am not sure why I needed
> to have:
> leftsubnet= 0.0.0.0/0
> versus
> leftsubnet= 192.168.0.0/25
I know you're past this point now, but I thought I could explain the WHY
you were wondering about here.
> This is what I heard indirectly from the people with the
> right side Cisco VPN.
>
> > IPSEC FLOW: permit ip 192.168.1.0/255.255.255.128 0.0.0.0/0.0.0.0
On the Cisco-side, they basically set up:
leftsubnet=192.168.1.0/25
rightsubnet=0.0.0.0/0
With IPsec, both sides MUST match to work completely. So when you had:
leftsubnet=192.168.1.0/25
rightsubnet=192.168.1.0/25
... it didn't match the Cisco config completely. This is why it was
only working for you when you had:
leftsubnet=0.0.0.0/0
rightsubnet=192.168.1.0/25
(Note: left and right can be swapped, or left the same -- it doesn't
matter. I usually do what you did, and have left = my local side)
More information about the Users
mailing list