First of all, thanks so much for the quick reply! I am sorry to bug you a
second time but I need some baby steps here.
Can you please give me a example with the configs I provided. I need to see
the "also=common_conn_params" in terms of my config.
For example, if I had a 192.168.161.0/24, 192.168.162.0/24,192.168.163.0/24,
networks on router A side. And I wanted Router B to connect to ONLY those
subnets. Can you please type in "exactly" what I would need on both router A
(S'toon) and router B (Victoria). From that, I should be able to figure out
what I need to do to be more pricise about the Router B networks within the
172.0.0.0/8 range.
Again.Thanks in advance!!! Sorry to be a pain.
Troy.
Router A (S'toon)
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
right=135.115.157.162
rightsubnet=192.168.0.0/16
rightnexthop=135.115.157.224
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn victoria
left=24.35.38.129
leftsubnet=172.0.0.0/8
leftnexthop=24.35.38.1
esp=aes
auto=start
Router B (Victoria)
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
right=24.35.38.129
rightsubnet=172.0.0.0/8
rightnexthop=24.35.38.1
pfs=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn stoon
left=135.115.157.162
leftsubnet=192.168.0.0/16
leftnexthop=135.115.157.224
esp=aes
auto=start
-----Original Message-----
From: Erich Titl [mailto:[EMAIL PROTECTED]
Sent: Monday, November 15, 2004 2:33 PM
To: Troy Aden
Cc: Leaf-User (E-mail)
Subject: Re: [leaf-user] IPSEC subnet routing
Troy
Troy Aden wrote:
>Hello all, This may seem a silly question but I have not been able to find
>any info in any how-to or docs and I am hoping someone here can help me
out.
>
>
http://www.freeswan.org/freeswan_trees/freeswan-1.98b/doc/manpage.d/ipsec.co
nf.5.html
>
>The question is : How do I setup the IPSEC config so that I route only
>specific subnets over the IPSEC tunnel. Currently, I have set it up by
>simply using a large subnet mask that encompasses all the networks on
either
>side of the link. (see my exmaple below) The problem is that I need to be
>more granular now and only route specific subnets over the link. I have
>played with it for awhile now and I can't seem to have more than one subnet
>declaration in my default conn statement. For example lets say I want only
>192.168.130.0/24 and 192.168.134.0/24 to get routed over the IPSEC on
router
>A and I only want 172.31.0.0/16 and 172.161.0.0/16 on router B. These are
>the only subnets I would like to be able to communicate over the IPSEC
>link... Is there a clean way to do this? Please have a look at my configs
>below and let me know how I should do this.
>
>
Define a single connection for each subnet. You can use the also=
statement to include common parameters.
e.g.
conn xx
also=common_conn_params
rightsubnet=10.0.0.32/27
auto=add
conn comon_conn_params
left=xx.yy.zz.nn
leftsubnet=aa.bb.cc.dd/nn
......
cheers
Erich
-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
