[strongSwan-dev] Adding support for subnets in transport mode (Feature #196)

Stuart Daniel stuartd at lexmark.com
Wed Jul 15 16:17:56 CEST 2015 

I've been looking at adding support for subnets when using transport mode.
In our use case, it will be far more efficient to allow users to specify
    right=192.168.1.128/25
instead of having to create a separate connection config for each host. It
appears that there has been some prior interest and work in this area:
  https://wiki.strongswan.org/issues/196
  https://lists.strongswan.org/pipermail/users/2013-February/004349.html

Timo Teräs posted a set of patches that updated the trap-any support in
April.
  https://lists.strongswan.org/pipermail/dev/2015-April/001344.html

Building on Timo Teräs' patches, I've managed to get this functionality
working in my (limited) testing, and I'm hoping to get some feedback on it.

The first patch file is an updated version of Timo's patches 5 .. 8 (the
ones that were not incorporated into the master branch), based off the
trap-acquire-tracking branch as of July 13
(04f562d83e430fd6b35395def876846923db4b4c).

The second patch file contains the changes I've made to add the subnet
support and fix the issues I found in getting it up and running.

Known caveats:
  * inbound connections using PSK authentication fail, as no matching
config is found
. Outbound connections work, however
  * The subnet parsing is limited to CIDR format for a single range.
          right=192.168.122.15/31 works
          right=192.168.122.14,192.168.122.15 is not parsed

Thanks,

-- Stuart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150715/11ae2d96/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trap-acquire-tracking-1.patch
Type: text/x-patch
Size: 33860 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150715/11ae2d96/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: trap-acquire-tracking-2.patch
Type: text/x-patch
Size: 5765 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150715/11ae2d96/attachment-0003.bin>

More information about the Dev mailing list