Hello all, This may seem a silly question but I have not been able to find any info in any how-to or docs and I am hoping someone here can help me out.
The question is : How do I setup the IPSEC config so that I route only specific subnets over the IPSEC tunnel. Currently, I have set it up by simply using a large subnet mask that encompasses all the networks on either side of the link. (see my exmaple below) The problem is that I need to be more granular now and only route specific subnets over the link. I have played with it for awhile now and I can't seem to have more than one subnet declaration in my default conn statement. For example lets say I want only 192.168.130.0/24 and 192.168.134.0/24 to get routed over the IPSEC on router A and I only want 172.31.0.0/16 and 172.161.0.0/16 on router B. These are the only subnets I would like to be able to communicate over the IPSEC link... Is there a clean way to do this? Please have a look at my configs below and let me know how I should do this. Thanks in advance! Troy. router A (S'toon) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=135.115.157.162 rightsubnet=192.168.0.0/16 rightnexthop=135.115.157.224 pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn victoria left=24.35.38.129 leftsubnet=172.0.0.0/8 leftnexthop=24.35.38.1 esp=aes auto=start Router B (Victoria) # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=secret right=24.35.38.129 rightsubnet=172.0.0.0/8 rightnexthop=24.35.38.1 pfs=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn stoon left=135.115.157.162 leftsubnet=192.168.0.0/16 leftnexthop=135.115.157.224 esp=aes auto=start ------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html