On Tue, 14 Feb 2023, Brady Johnson wrote:
I tried your suggestion and I still get the same result. First I removed the
"rightsubnet=0.0.0.0/0" from the server config, and then got "IKE_AUTH
response rejected Child SA with TS_UNACCEPTABLE" when starting the client, so I also
removed "leftsubnet=0.0.0.0/0" from the client config, but the
client-side xfrm policies are the same as before.
Here are the relevant configs:
Server:
---------
...
# Clients
right=%any
rightrsasigkey=%cert
rightid=%fromcert
rightca=%same
rightaddresspool="172.16.111.10-172.16.111.99"
leftmodecfgserver=yes
...
This requires narrowing=yes and leftsubnet=yoursubnet/mask
Client:
---------
...
left=172.16.1.10
leftrsasigkey=%cert
leftid="O=XYZ,CN=vpnclient.dl110-00.xyz.com"
leftcert=vpnclient.dl110-00.xyz.com
leftupdown="/bin/ipsec_tunnel_tool_updown.xfrm.sh"
leftmodecfgclient=yes
...
This requires narrowing=yes and leftsubnet=0.0.0.0/0 and rightsubnet=0.0.0.0/0.
That is, the client asks for "everything" and the server narrows it down
to one IP/32 to 0/0.
Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
