[Openswan Users] Is rightsubnet always required for subnet-subnet connections?
Kevin Locke
kevin at kevinlocke.name
Sun Mar 13 18:39:34 EDT 2011
On Sun, 2011-03-13 at 15:27 -0400, Paul Wouters wrote:
> On Sat, 12 Mar 2011, Kevin Locke wrote:
>>> Use:
>>>
>>> rightsubnet=vnet:%priv
>>>
>>> Then you can have one (or more) subnets. As long as they appear in virtual_private=,
>>> they are allowed. It is dangerous to allow ANY subnet, but if you want to do that,
>>> you can add 0/0 to virtual private.
>>
>> rightsubnet=vnet:%priv is exactly what I was looking for. Thanks!
>>
>> Did I overlook this in one of the man pages, or is it undocumented
>> (and, if so, would you like a patch to document it)?
>
> It's in my copy of the man page:
>
> leftsubnet
> private subnet behind the left participant, expressed as
> network/netmask (actually, any form acceptable to
> ipsec_ttosubnet(3)); Currentlly, IPv4 and IPv6 ranges are
> supported. if omitted, essentially assumed to be left/32,
> signifying that the left end of the connection goes to the left
> participant only
>
> It supports two magic shorthands vhost: and vnet:, which can list
> subnets in the same syntax as virtual_private. The value %priv
> expands to the networks specified in virtual_private. The value %no
> means no subnet. A common use for allowing roadwarrios to come in
> on public IPs or via accepted NATed networks from RFC1918 is to use
> leftsubnet=vhost:%no,%priv. The vnet: option can be used to allow
> RFC1918 subnets without hardcoding them. When using vnet the
> connection will instantiate, allowing for multiple tunnels with
> different subnets.
Right you are. I was looking at an older version on my development
machine. Thanks again.
--
Cheers, | kevin at kevinlocke.name | JIM: kevinoid at jabber.org
Kevin | http://kevinlocke.name | IRC: kevinoid on freenode
More information about the Users
mailing list