<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@宋体";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:宋体;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML 预设格式 Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:宋体;}
span.HTMLChar
{mso-style-name:"HTML 预设格式 Char";
mso-style-priority:99;
mso-style-link:"HTML 预设格式";
font-family:"Courier New";}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:black;
font-weight:normal;
font-style:normal;
text-decoration:none none;
vertical-align:baseline;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="ZH-CN" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> Thanks for reply. I have checked the latest Kernel code(Git commit ID is 6dc390a). Below is the selector definition.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> /* Selector, used as selector both on policy rules (SPD) and SAs. */<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black">struct xfrm_selector {<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> xfrm_address_t daddr;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> xfrm_address_t saddr;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> __be16 dport;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> __be16 dport_mask;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> __be16 sport;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> __be16 sport_mask;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> __u16 family;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> __u8 prefixlen_d;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> __u8 prefixlen_s;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> __u8 proto;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> int ifindex;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> __kernel_uid32_t user;<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black">};<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> Seems that Kernel doesn’t support range of IP address even though RFC <a href="http://tools.ietf.org/html/rfc4301#page-26">http://tools.ietf.org/html/rfc4301#page-26</a>
defines the expression of a range IP address.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"> I will try to use firewall rule or modify Kernel code if it’s necessary.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-align:justify;text-justify:inter-ideograph"><span lang="EN-US" style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">Best regards<o:p></o:p></span></p>
<p class="MsoNormal" style="text-align:justify;text-justify:inter-ideograph"><span lang="EN-US" style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">Tony<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt">发件人<span lang="EN-US">:</span></span></b><span lang="EN-US" style="font-size:10.0pt"> Rayson Zhu [mailto:vfreex@gmail.com]
<br>
</span><b><span style="font-size:10.0pt">发送时间<span lang="EN-US">:</span></span></b><span lang="EN-US" style="font-size:10.0pt"> 2016</span><span style="font-size:10.0pt">年<span lang="EN-US">2</span>月<span lang="EN-US">25</span>日<span lang="EN-US"> 14:48<br>
</span><b>收件人<span lang="EN-US">:</span></b><span lang="EN-US"> Tony.He </span>賀雙鳳<span lang="EN-US"><br>
</span><b>抄送<span lang="EN-US">:</span></b><span lang="EN-US"> users@lists.strongswan.org<br>
</span><b>主题<span lang="EN-US">:</span></b><span lang="EN-US"> Re: [strongSwan] what's the expression of a range of address?<o:p></o:p></span></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">You can use a firewall rule rather than narrow your tunnel for this scenario.<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">But, users can change their IP addresses manually to bypass your restriction if you didn't bind their MAC addresses/ports to their IP addresses.<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span lang="EN-US">On Thu, Feb 25, 2016 at 12:03 PM, Tony.He
</span>賀雙鳳<span lang="EN-US"> <<a href="mailto:Tony.He@deltaww.com.cn" target="_blank">Tony.He@deltaww.com.cn</a>> wrote:<o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">Hi,<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> Here is the topology.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> local subnet
<a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> -GW A ---Internet----GW B – local subnet
<a href="http://192.168.2.0/24" target="_blank">192.168.2.0/24</a>.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> I want to only allow hosts whose IP addresses in a range to be part of the tunnel. For example, 192.168.1.2-192.168.1.8 are allowed<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> in site A and 192.168.2.3-192.168.2.11 are allowed in site B. Can anyone tell me how to configure? Thanks in advance.<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">Best regards<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US">Tony<o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN-US"> <o:p></o:p></span></p>
</div>
</div>
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="background:white;padding:.75pt .75pt .75pt .75pt">
<pre><span lang="EN-US" style="color:black">*************************************************************************<o:p></o:p></span></pre>
<pre><span lang="EN-US" style="color:black">This email message, including any attachments, is for the sole<o:p></o:p></span></pre>
<pre><span lang="EN-US" style="color:black">use of the intended recipient(s) and may contain confidential and<o:p></o:p></span></pre>
<pre><span lang="EN-US" style="color:black">privileged information. Any unauthorized review, use, disclosure or<o:p></o:p></span></pre>
<pre><span lang="EN-US" style="color:black">distribution is prohibited. If you are not the intended recipient, please<o:p></o:p></span></pre>
<pre><span lang="EN-US" style="color:black">contact the sender by reply e-mail and destroy all copies of the original<o:p></o:p></span></pre>
<pre><span lang="EN-US" style="color:black">message. [Delta Electronics, INC. China]<o:p></o:p></span></pre>
<pre><span lang="EN-US" style="color:black">*************************************************************************<o:p></o:p></span></pre>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span lang="EN-US"><br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
</div>
</div>
</body>
</html>
<table><tr><td bgcolor=#ffffff><font color=#000000><pre>*************************************************************************
This email message, including any attachments, is for the sole
use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message. [Delta Electronics, INC. China]
*************************************************************************</pre></font></td></tr></table>