On Tue, 31 Oct 2017, Nirvana wrote:
Or you can set up one for 0.0.0.0/0 on the server, install firewall rules
there to limit traffic to the three networks, and give the client a custom
leftupdown= script that only routes those 3 subnets into the single VTI
device.
Thanks for the response! I am doing what you suggested (0.0.0.0/0 on server and
adding routes for VTI interface) and it appears to be working. For instance I
am able to add a functioning
route using: ip r a 192.168.2.0/24 dev vti9 scope link src 192.168.9.12
However if I try to add routes using an updown script I am having an issue
where vti9 isn't up yet so I can't add the routes yet. Below is how I was able
to test that.
In the client config I added: leftupdown=/etc/ipsec.updown
Did you copy the _updown.netkey script and make your additions to that
script? You still need the real updown script because that is the
script that actually creates the vti device.
and created that executable shell script with the following contents:
ip a
exit 0
Is that a copy paste error? Because I see no script. But you really need
to take _updown.netkey and _add_ your custom things to that script.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
