2

As I understand, virtual_private configuration option declares which subnets should be allowed through the tunnel and which should be excluded. For example if I have following configuration:

virtual_private=%v4:10.6.100.0/24,%v4:!192.168.11.0/24,%v4:10.10.0.254/24

..then according to ipsec auto --status command 10.6.100.0/24 and 10.10.0.0/24 networks are allowed and 192.168.11.0/24 is disallowed:

000 virtual_private (%priv):
000 - allowed 2 subnets: 10.6.100.0/24, 10.10.0.0/24
000 - disallowed 1 subnet: 192.168.11.0/24
000

What does this allowed and disallowed mean? What does this mean under the hood? Are there some routes created? Does it affect some xfrm framework policies?

Martin
  • 7,284
  • 40
  • 125
  • 208

1 Answers1

0

This setting setup on the server side is used to specify which network the client can access to when it is behind NAT router through which the clients connect.Usually you will disable the network on which the clients reside.

This value is usually set to all the RFC-1918 address space, excluding the space used in the local subnet behind the NAT (An IP address cannot live at two places at once).

Matthieu Ducorps
  • 98
  • 1
  • 9