<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: 'Source Code Pro', sans-serif;">
<div>Hello,</div>
<div><br>
</div>
<div>I'm running StrongSwan 5.3.5, and have the following configuration for host-to-host encryption:</div>
<div><br>
</div>
<div>
<div>conn trap-any</div>
<div> type=transport</div>
<div> authby=psk</div>
<div> aggressive=no</div>
<div> left=%any</div>
<div> right=%any</div>
<div> rightsubnet=172.16.0.0/24</div>
<div> keyexchange=ikev2</div>
<div> ike=aes128gcm128-sha256-ecp256</div>
<div> esp=aes128gcm128</div>
<div> auto=route</div>
</div>
<div><br>
</div>
<div>I need to connect to some hosts in the 172.16.0.0/24 subnet without ipsec. Is it possible to exclude a list of IPs? Is there a configuration that allows me to fail to a non-ipsec connection after a certain timeout period?</div>
<div><br>
</div>
<div>I would like to timeout connection trap-any[1], and fail to a non-encrypted connection.</div>
<div><br>
</div>
<div>[root@localhost strongswan]# strongswan status</div>
<div>
<div>Routed Connections:</div>
<div> trap-any{1}: ROUTED, TRANSPORT, reqid 1</div>
<div> trap-any{1}: 0.0.0.0/0 === 172.16.0.0/24</div>
<div>Security Associations (0 up, 1 connecting):</div>
<div> trap-any[1]: CONNECTING, 172.16.0.30[%any]...172.16.0.31[%any]</div>
</div>
<div><br>
</div>
<div>Thanks!</div>
<div>Paul</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE"></div>
</div>
</body>
</html>