[Openswan Users] Is rightsubnet always required for subnet-subnet connections?

[Paul Wouters]

On Sat, 12 Mar 2011, Kevin Locke wrote:

>> Use:
>>
>> 	rightsubnet=vnet:%priv
>>
>> Then you can have one (or more) subnets. As long as they appear in virtual_private=,
>> they are allowed. It is dangerous to allow ANY subnet, but if you want to do that,
>> you can add 0/0 to virtual private.
>
> rightsubnet=vnet:%priv is exactly what I was looking for.  Thanks!
>
> Did I overlook this in one of the man pages, or is it undocumented
> (and, if so, would you like a patch to document it)?

It's in my copy of the man page:

        leftsubnet
            private subnet behind the left participant, expressed as
            network/netmask (actually, any form acceptable to
            ipsec_ttosubnet(3)); Currentlly, IPv4 and IPv6 ranges are
            supported. if omitted, essentially assumed to be left/32,
            signifying that the left end of the connection goes to the left
            participant only

            It supports two magic shorthands vhost: and vnet:, which can list
            subnets in the same syntax as virtual_private. The value %priv
            expands to the networks specified in virtual_private. The value %no
            means no subnet. A common use for allowing roadwarrios to come in
            on public IPs or via accepted NATed networks from RFC1918 is to use
            leftsubnet=vhost:%no,%priv. The vnet: option can be used to allow
            RFC1918 subnets without hardcoding them. When using vnet the
            connection will instantiate, allowing for multiple tunnels with
            different subnets.

Paul