Project

General

Profile

Issue #2534

left/rightsubnet Documentation

Added by Jafar Al-Gharaibeh almost 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Category:
documentation
Affected version:
5.6.1
Resolution:
No feedback

Description

I'm looking at left|rightsubnet documentation at:

https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

The first paragraph says:

"private subnet behind the left participant, expressed as network/netmask; if omitted, essentially assumed to be left/32|128, signifying that the left|right end of the connection goes to the left|right participant only."

The last paragraph says:

"Instead of specifying a subnet, %dynamic can be used to replace it with the IKE address, having the same effect as omitting left|rightsubnet completely."

The verbiage regarding omitting left/rightsubnet is different in the two places. What is the correct behavior? a combination of the two? or is it the same already where "IKE address" is referring to left/right addresses.

Whatever the behavior is, I suggest keeping only one place (at the end) to talk about omitting the config and consolidating the description.

Moreover, in one use case, I had a few subnets (left/rightsubnets) in addition to also having a virtual address (left/rightsourceip). It took me a while with trial and error to figure out that I need not only the subnets, but also %dynamic configured to get the tunnel to work as expected. I.e,

rightsubnet= subnet1, subnet2, %dynamic

I didn't know that this was valid, but it seemed to do the trick for me. Just wondering if this is correct or it should be documented as well.

Thanks,
Jafar

History

#1 Updated by Tobias Brunner almost 4 years ago

  • Category set to documentation
  • Status changed from New to Feedback

The first paragraph says:

"private subnet behind the left participant, expressed as network/netmask; if omitted, essentially assumed to be left/32|128, signifying that the left|right end of the connection goes to the left|right participant only."

The last paragraph says:

"Instead of specifying a subnet, %dynamic can be used to replace it with the IKE address, having the same effect as omitting left|rightsubnet completely."

The verbiage regarding omitting left/rightsubnet is different in the two places. What is the correct behavior? a combination of the two? or is it the same already where "IKE address" is referring to left/right addresses.

Yes, the meaning is basically the same: omit -> %dynamic -> host addresses (= usually left|right). By the way, you should use swanctl.conf/vici instead of ipsec.conf (check local_ts for the documentation of the equivalent option).

Whatever the behavior is, I suggest keeping only one place (at the end) to talk about omitting the config and consolidating the description.

Go ahead, but not sure if it's worth it (ipsec.conf is deprecated).

Moreover, in one use case, I had a few subnets (left/rightsubnets) in addition to also having a virtual address (left/rightsourceip). It took me a while with trial and error to figure out that I need not only the subnets, but also %dynamic configured to get the tunnel to work as expected. I.e,

rightsubnet= subnet1, subnet2, %dynamic

I didn't know that this was valid, but it seemed to do the trick for me. Just wondering if this is correct or it should be documented as well.

Why assign a virtual IP if you have subnets on the remote end anyway? Or does the client not have an IP in either subnet? I don't think this is a common scenario (natting the subnets to the VIP or assigning an IP from one of the subnets to the client is more common, I guess). Anyway, you obviously have to configure a remote traffic selector for the virtual IP, otherwise you won't have an IPsec policy for it, since you don't know it beforehand the correct option is %dynamic (the VirtualIP page mentions what effect/use %dynamic has, although, not in combination with other subnets).

#2 Updated by Tobias Brunner over 3 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No feedback

Also available in: Atom PDF