> > conn headq > > left=%defaultroute > > leftcert=remotehost1 > > leftid=%fromcert > > right=198.51.100.33 > > rightid=%fromcert > > leftsubnet=0.0.0.0/0 > > rightsubnet=0.0.0.0/0 > > What are you trying to do here? Where does 0.0.0.0/0 live? It cannot > live at both sides of the tunnel. Where would a packet for 1.2.3.4 > need to go? To left or to right?
I realised I did not answer this one. A packet for 1.2.3.4 should go out unencrypted, as this address is not equal to 198.51.100.33 (which would be the only host to whom ipsec conn is desired). Still sticking to host-to-host (client-to-server), no tunnel between subnets necessary. Some real tunnels (subnet-to-subnet) are to be added at some point in the future, but at the moment, I want to keep things as simple as possible to get the primary connections working at all. Should I remove the leftsubnet/rightsubnet options altogether? Phil _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
