On Fri, 9 Feb 2024, Phil Nightowl wrote:
Without these, you would only match a single left and right IP/32, and
when using right=%any that would become 0.0.0.0/32 which is a single IP
address.
Please forgive me, I still don't get it, To me, it seems that even if those
subnets are single IPs (/32), they're still ANY IPs.
It might not really make sense, but it is how it works.
on a client machine would allow me to SSH (tcp/22) from that particular
host to %any other, perhaps just not allowing to passthrough SSH to any
further hosts on the same subnet that the right participant might be
forwarding (routing, NATting, ...) to or forwarding to the right
participant for others. Which is obviously not the case, according to
what you write.
I understand why that makes logical sense.
Now I am going to get rid of opportunistic encryption for the ipsec part
itself. On host.privlan I just removed the policy file and replaced
right=%opportunisticgroup with right=192.168.1.253. Everything works.
The next step would be to adjust right= on server.privlan accordingly -
but to what? Obviously, I could use right=%any - but I will need this
option in the future to configure a different connection for the
roadwarriors. Which brings me back to the question of how to distinguish
between those connections?
You can have multiple connections with right=%any and do matching on
rightid= to select between them.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
