> > conn headq
> > left=%defaultroute
> > leftcert=remotehost1
> > leftid=%fromcert
> > right=198.51.100.33
> > rightid=%fromcert
> > leftsubnet=0.0.0.0/0
> > rightsubnet=0.0.0.0/0
>
> What are you trying to do here? Where does 0.0.0.0/0 live? It cannot
> live at both sides of the tunnel. Where would a packet for 1.2.3.4
> need to go? To left or to right?
>
> Are you trying to make a route based VPN without using an ipsec interface?
No. Honestly, I just added {left,right}subnet based on your advice regarding
the SSH passthrough conn. Admittedly, without really understanding what is
behind those two - I got quite confused about the 0.0.0.0/0 options.
However, the goal is as described before: keep the working ipsec connection
to hosts living inside 192.168.1.0/24 and additionally establish a
connection from remotehost1.privlan (initiator, 10.0.1.138 locally, sitting
behind a public 203.0.113.55) to server.privlan (responder, 192.168.1.253
locally, public 198.51.100.33). Although the configuration of
remotehost[xx].privlan may vary, you can safely assume remotehost1.privlan
to have just one network interface with the usual configuration.
I hope to have made it less confusing now, at least for you.
Phil
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
