[Openswan Users] modecfg supplied IP address and multiple subnets

Paul Wouters paul at nohats.ca
Wed Mar 14 20:30:07 EDT 2012

On Wed, 14 Mar 2012, Northfield Stuart wrote:

> I have successfully configured my linux test environment to connect and authenticate with the pfsense box and all three phase 2 associations are brought up (configured as multiple subnets in a single conn entry in ipsec.conf - see below), but I can only access some of the remote subnets.
> I observe (from the pfsense diagnostics) that two of the three SPDs are being defined (at the pfsense end) with the source as the subnet declared at the client end rather than the virtual IP address issued by the gateway via modecfg (which does appear on the third subnet SPD).

Is there a difference in behaviour in you use three cons with
rightsubnet= versus one conn with rightsubnets= ?

> Is this right? The iOS/Mac ipsec clients appear to use the modecfg supplied IP address across all three subnet SPDs, which is I think what I would expect - i.e. the linux client should also apply the IP address to all three phase 2 associations.

> I don't yet have anonymised logging, but the client end configuration included below (in case I have missed something obvious - have been trying to resolve this for a couple of days now).

It would be useful to get a plutodebug=all log if possible (without the
leftsubnet/leftsourceips specified.. you can send it to me off-list,
but try to do the least anonymising.


More information about the Users mailing list