[strongSwan-dev] Adding support for subnets in transport mode (Feature #196)
Tobias Brunner
tobias at strongswan.org
Thu Jul 16 14:56:46 CEST 2015
Hi Stuart,
> I've been looking at adding support for subnets when using transport
> mode. In our use case, it will be far more efficient to allow users to
> specify
> right=192.168.1.128/25
> instead of having to create a separate connection config for each host.
> It appears that there has been some prior interest and work in this area:
> https://wiki.strongswan.org/issues/196
I've updated the trap-any branch (based on the trap-acquire-tracking
branch). Due to the changes in 5.3.0 (reqids don't identify CHILD_SAs
anymore) no additional reqids are required and no awkward SA deletion is
needed anymore. So that removes one of the reservations I had about the
previous iteration of the patch.
And with the above patch it is actually already possible to limit the
remote hosts to specific subnets/IPs. Just set `rightsubnet`
accordingly. I added a test scenario (ikev2/trap-any) in that branch
that illustrates this (see host dave).
Let me know if that works for you.
Regards,
Tobias
More information about the Dev
mailing list