On Thu, 15 Feb 2024, Phil Nightowl wrote:
conn headq
left=%defaultroute
leftcert=remotehost1
leftid=%fromcert
right=198.51.100.33
rightid=%fromcert
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
What are you trying to do here? Where does 0.0.0.0/0 live? It cannot
live at both sides of the tunnel. Where would a packet for 1.2.3.4
need to go? To left or to right?
I realised I did not answer this one. A packet for 1.2.3.4 should go out
unencrypted, as this address is not equal to 198.51.100.33 (which would
be the only host to whom ipsec conn is desired). Still sticking to
host-to-host (client-to-server), no tunnel between subnets necessary.
Some real tunnels (subnet-to-subnet) are to be added at some point in
the future, but at the moment, I want to keep things as simple as
possible to get the primary connections working at all.
Should I remove the leftsubnet/rightsubnet options altogether?
Yes.
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
