All,
Having learnt how to provide access to the local subnet when the tunnel is
up, I now want to restrict the list of subnets available through the tunnel.
In other words, I want everything to go OFF-tunnel unless it is in the
supplied list of subnets.
So, I set up a normal tunnel and provide a comma-separated list of allowed
subnets (e.g. rightsubnet=172.20.0.0/16,1.1.0.0/16).
As hoped for, strongSwan leaves the default ip route alone so that by
default, traffic is off-tunnel and adds a set of ip routes that direct the
desired traffic down the tunnel.
So far, so good.
[ Strongswan is also using the list of allowed subnets to set up ip xfrm
policies. I'm not sure if I want these or understand them, but I'll leave
them be until I learn more about xfrm. ]
By accident, I found out that strongSwan is also using the list of allowed
subnets as responder traffic-selectors in the ISAKMP messages to set up
the tunnel.
Is this correct ? Desired ?
Why would the remote end of the tunnel be interested in how I want to direct
traffic on- or off-tunnel ? Surely routing policy is a local decision ?
Or, as usual, have I got hold of the wrong end of the stick ? Are responder
traffic-selectors meant to tell the remote end what traffic to send us down
the tunnel and I should add explicit routes (and not use rightsubnets) to
direct which locally-generated traffic goes on- or off-traffic ?
Hope this all makes sense. I can provide examples if anyone has not got a
clue what I'm going on about.
Regards,
Graham.
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users