Hi. I was setting up a roadrunner setup and stumbled across two things: 1) Manpages and documentation tells that left/rightsubnetwithin would be of no use with IKEv2, right? It seems however that it does so and can be used so that both sides must agree on an assigned virtual IP. e.g.: moon: right=%any rightallowany=yes rightid="someDN" rightsourceip=1.2.3.4
roadrunner: right* points to moon left=%defaultroute leftallowany=no leftsourceip=%modeconfig This alone makes (AFAIU) that the roadrunner cannot force an address to be used by moon (e.g. even when setting leftsourceip=2.2.2.2 => still 1.2.3.4 would be used). But moon can force any address to be used by the roadrunner, because the responder decides, right? This might be undesirable for the roadrunner (e.g. when he is specially secured with some firewall rules or so). But when one sets on the roadrunnerside: leftsubnetwithin=1.2.3.4/32 it seems that one can enforce that address to be used. So if moon would change it, no connection would happen. Might be worth to add this to the documentation (in case I haven't just overseen it). 2) What I wanted to do is having auto = add on the moon side and auto = route on the roadrunner side. So that the connection is only established when the roadrunner needs it. But while the ip xfrm policies seem to be set up, no connection seems to be established when traffic occurs. Or at least nothing changes when doing an ipsec statusall. Am I doing anything wrong? Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users