[Openswan Users] Is rightsubnet always required for subnet-subnet connections?

Kevin Locke kevin at kevinlocke.name
Sun Mar 13 18:39:34 EDT 2011

On Sun, 2011-03-13 at 15:27 -0400, Paul Wouters wrote:
> On Sat, 12 Mar 2011, Kevin Locke wrote:
>>> Use:
>>> 	rightsubnet=vnet:%priv
>>> Then you can have one (or more) subnets. As long as they appear in virtual_private=,
>>> they are allowed. It is dangerous to allow ANY subnet, but if you want to do that,
>>> you can add 0/0 to virtual private.
>> rightsubnet=vnet:%priv is exactly what I was looking for.  Thanks!
>> Did I overlook this in one of the man pages, or is it undocumented
>> (and, if so, would you like a patch to document it)?
> It's in my copy of the man page:
>        leftsubnet
>            private subnet behind the left participant, expressed as
>            network/netmask (actually, any form acceptable to
>            ipsec_ttosubnet(3)); Currentlly, IPv4 and IPv6 ranges are
>            supported. if omitted, essentially assumed to be left/32,
>            signifying that the left end of the connection goes to the left
>            participant only
>            It supports two magic shorthands vhost: and vnet:, which can list
>            subnets in the same syntax as virtual_private. The value %priv
>            expands to the networks specified in virtual_private. The value %no
>            means no subnet. A common use for allowing roadwarrios to come in
>            on public IPs or via accepted NATed networks from RFC1918 is to use
>            leftsubnet=vhost:%no,%priv. The vnet: option can be used to allow
>            RFC1918 subnets without hardcoding them. When using vnet the
>            connection will instantiate, allowing for multiple tunnels with
>            different subnets.

Right you are.  I was looking at an older version on my development
machine.  Thanks again.

Cheers,      |  kevin at kevinlocke.name   | JIM:  kevinoid at jabber.org
Kevin        |  http://kevinlocke.name  | IRC: kevinoid on freenode

More information about the Users mailing list