Hello all, This may seem a silly question but I have not been able to find
any info in any how-to or docs and I am hoping someone here can help me out.
The question is : How do I setup the IPSEC config so that I route only
specific subnets over the IPSEC tunnel. Currently, I have set it up by
simply using a large subnet mask that encompasses all the networks on either
side of the link. (see my exmaple below) The problem is that I need to be
more granular now and only route specific subnets over the link. I have
played with it for awhile now and I can't seem to have more than one subnet
declaration in my default conn statement. For example lets say I want only
192.168.130.0/24 and 192.168.134.0/24 to get routed over the IPSEC on router
A and I only want 172.31.0.0/16 and 172.161.0.0/16 on router B. These are
the only subnets I would like to be able to communicate over the IPSEC
link... Is there a clean way to do this? Please have a look at my configs
below and let me know how I should do this.
Thanks in advance!
Troy.
router A (S'toon)
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
right=135.115.157.162
rightsubnet=192.168.0.0/16
rightnexthop=135.115.157.224
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn victoria
left=24.35.38.129
leftsubnet=172.0.0.0/8
leftnexthop=24.35.38.1
esp=aes
auto=start
Router B (Victoria)
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
right=24.35.38.129
rightsubnet=172.0.0.0/8
rightnexthop=24.35.38.1
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn stoon
left=135.115.157.162
leftsubnet=192.168.0.0/16
leftnexthop=135.115.157.224
esp=aes
auto=start
-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
