[Openswan Users] Is rightsubnet always required for subnet-subnet connections?

Paul Wouters paul at xelerance.com
Sun Mar 13 15:27:24 EDT 2011

On Sat, 12 Mar 2011, Kevin Locke wrote:

>> Use:
>> 	rightsubnet=vnet:%priv
>> Then you can have one (or more) subnets. As long as they appear in virtual_private=,
>> they are allowed. It is dangerous to allow ANY subnet, but if you want to do that,
>> you can add 0/0 to virtual private.
> rightsubnet=vnet:%priv is exactly what I was looking for.  Thanks!
> Did I overlook this in one of the man pages, or is it undocumented
> (and, if so, would you like a patch to document it)?

It's in my copy of the man page:

            private subnet behind the left participant, expressed as
            network/netmask (actually, any form acceptable to
            ipsec_ttosubnet(3)); Currentlly, IPv4 and IPv6 ranges are
            supported. if omitted, essentially assumed to be left/32,
            signifying that the left end of the connection goes to the left
            participant only

            It supports two magic shorthands vhost: and vnet:, which can list
            subnets in the same syntax as virtual_private. The value %priv
            expands to the networks specified in virtual_private. The value %no
            means no subnet. A common use for allowing roadwarrios to come in
            on public IPs or via accepted NATed networks from RFC1918 is to use
            leftsubnet=vhost:%no,%priv. The vnet: option can be used to allow
            RFC1918 subnets without hardcoding them. When using vnet the
            connection will instantiate, allowing for multiple tunnels with
            different subnets.


More information about the Users mailing list