[Openswan Users] Is rightsubnet always required for subnet-subnet connections?
Paul Wouters
paul at xelerance.com
Sat Mar 12 18:30:42 EST 2011
On Fri, 11 Mar 2011, Kevin Locke wrote:
> I am attempting to setup subnet-to-subnet connections where both sides
> are using OpenSwan, both sides are gateway computers with a single
> public IP and a (separate) private subnet for which they NAT,
> connecting to each other via public addresses and passing traffic for
> the entire subnet.
>
> There is a single "central" subnet to which many other subnets will be
> connecting. I would like to provide administrative freedom to the
> connecting subnets and minimize the configuration required on the
> central subnet; ideally by allowing connections from any certificate
> issued by the central CA regardless of address/subnet. (Let me know
> if this configuration is stupid.)
> I would like to remove the rightsubnet= parameter from
> testconn-central so that I would not have to update the configuration
> any time a guest network is added/removed/changed. However, if I do,
> the connection fails in STATE_MAIN_R3/STATE_QUICK_I1 with the
> following message on the central server:
Use:
rightsubnet=vnet:%priv
Then you can have one (or more) subnets. As long as they appear in virtual_private=,
they are allowed. It is dangerous to allow ANY subnet, but if you want to do that,
you can add 0/0 to virtual private.
Paul
More information about the Users
mailing list