[Openswan Users] Is rightsubnet always required for subnet-subnet connections?

Paul Wouters paul at xelerance.com
Sat Mar 12 18:30:42 EST 2011

On Fri, 11 Mar 2011, Kevin Locke wrote:

> I am attempting to setup subnet-to-subnet connections where both sides
> are using OpenSwan, both sides are gateway computers with a single
> public IP and a (separate) private subnet for which they NAT,
> connecting to each other via public addresses and passing traffic for
> the entire subnet.
> There is a single "central" subnet to which many other subnets will be
> connecting.  I would like to provide administrative freedom to the
> connecting subnets and minimize the configuration required on the
> central subnet; ideally by allowing connections from any certificate
> issued by the central CA regardless of address/subnet.  (Let me know
> if this configuration is stupid.)

> I would like to remove the rightsubnet= parameter from
> testconn-central so that I would not have to update the configuration
> any time a guest network is added/removed/changed.  However, if I do,
> the connection fails in STATE_MAIN_R3/STATE_QUICK_I1 with the
> following message on the central server:



Then you can have one (or more) subnets. As long as they appear in virtual_private=,
they are allowed. It is dangerous to allow ANY subnet, but if you want to do that,
you can add 0/0 to virtual private.


More information about the Users mailing list