setting leftsubnet to only be the local loopback instead of a wide range. this will avoid blackholing traffic for edges and potentially other nodes
This commit is contained in:
toby
parent
f9ed8fe88b
commit
31abf06342
|
|
@ -301,6 +301,8 @@ case "$1" in
|
|||
# set ipsec config
|
||||
sed -i \
|
||||
-e "s/FQHOSTNAME/${HOSTNAME}/" \
|
||||
-e "s/LOOPBACKv4/${LOOPBACKv4}\/32/" \
|
||||
-e "s/LOOPBACKv6/${LOOPBACKv6}\/128/" \
|
||||
-e "s/IPSEC_IPV4_SUBNETS/$IPSEC_IPV4_SUBNETS/" \
|
||||
-e "s/IPSEC_IPV6_SUBNETS/$IPSEC_IPV6_SUBNETS/" \
|
||||
$IPSECCONFIG
|
||||
|
|
|
|||
|
|
@ -27,14 +27,14 @@ conn %default
|
|||
|
||||
conn loopback4
|
||||
leftsourceip=%config4
|
||||
leftsubnet=IPSEC_IPV4_SUBNETS
|
||||
leftsubnet=LOOPBACKv4
|
||||
rightsubnet=IPSEC_IPV4_SUBNETS
|
||||
right=%any4
|
||||
|
||||
|
||||
conn loopback6
|
||||
leftsourceip=%config6
|
||||
leftsubnet=IPSEC_IPV6_SUBNETS
|
||||
leftsubnet=LOOPBACKv6
|
||||
rightsubnet=IPSEC_IPV6_SUBNETS
|
||||
right=%any6
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue