<div dir="ltr"><p style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:11px;line-height:16.200000762939453px;padding-left:2em">Would help if read the entire section:</p><p style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:11px;line-height:16.200000762939453px;padding-left:2em">
"The port value can alternatively take the value <em>%opaque</em> for RFC 4301 OPAQUE selectors, or a numerical range<br>in the form 1024-65535. None of the kernel backends currently supports opaque or port ranges and uses <em>%any</em><br>
for policy installation instead."</p><p style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:11px;line-height:16.200000762939453px;padding-left:2em">OK this implies that it will silently be replaced with %any if a range is encountered. It that correct?</p>
<p style="color:rgb(54,0,12);font-family:Verdana,sans-serif;font-size:11px;line-height:16.200000762939453px;padding-left:2em"><br></p></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 23, 2014 at 12:54 PM, Dan Cook <span dir="ltr"><<a href="mailto:onedsc@gmail.com" target="_blank">onedsc@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I am trying to figure out how to express port ranges in the left/right subnet configuration in the ipsec.conf file.<div>
<br></div><div>I found a feature request here:</div><div><a href="https://wiki.strongswan.org/issues/278" target="_blank">https://wiki.strongswan.org/issues/278</a><br>
</div><div><br></div><div>The resolution says:</div>"Starting with 5.1.0, port ranges can be configured for left/rightsubnet selectors, refer to ipsec.conf(5) for details."<div></div><div><br></div><div>However there is no example of port ranges in the online docs. Is there an example of a port range configuration that can be shared?</div>
<div><br></div><div>Also there is an additional comment:</div>"However, none of our kernel backends support such ranges. As it is unlikely that such an extension will be accepted by the Linux networking folks, we can't do much about it."<div>
<br></div><div>What exactly does that mean? If you configure ranges SS will: </div><div>1) do nothing - SS silently ignores them.</div><div>2) configure the range as individual ports (100-200) will be result in 200 connections being configured.</div>
<div>3) Try to send it to the kernel and hopelessly fail</div><div>4) throw an error and move on</div><div><br></div><div>What options do I have if I need to configure a range of ports? </div><div><br></div><div>Regards, </div>
<span class="HOEnZb"><font color="#888888">
<div>Dan</div><div><br></div></font></span></div>
</blockquote></div><br></div>