[strongSwan-dev] Adding support for subnets in transport mode (Feature #196)

Stuart Daniel stuartd at lexmark.com
Thu Jul 16 22:03:46 CEST 2015 

Tobias,

On Thu, Jul 16, 2015 at 8:56 AM, Tobias Brunner <tobias at strongswan.org>
wrote:

> Hi Stuart,
>
> > I've been looking at adding support for subnets when using transport
> > mode. In our use case, it will be far more efficient to allow users to
> > specify
> >     right=192.168.1.128/25
> > instead of having to create a separate connection config for each host.
> > It appears that there has been some prior interest and work in this area:
> >   https://wiki.strongswan.org/issues/196
>
> I've updated the trap-any branch (based on the trap-acquire-tracking
> branch).  Due to the changes in 5.3.0 (reqids don't identify CHILD_SAs
> anymore) no additional reqids are required and no awkward SA deletion is
> needed anymore.  So that removes one of the reservations I had about the
> previous iteration of the patch.
>
> And with the above patch it is actually already possible to limit the
> remote hosts to specific subnets/IPs.  Just set `rightsubnet`
> accordingly.  I added a test scenario (ikev2/trap-any) in that branch
> that illustrates this (see host dave).
>
> Let me know if that works for you.
>
>
Tobias,

Thanks for the update; that works for our use case. I've tried the updated
trap-any branch, and it works well (in very limited testing) so far with
one caveat. If you specify
  right=%any
  rightsubnet=192.168.0.0/30
then things work as expected. If the administrator uses
  right=192.168.0.0/30
however, the proposed traffic selector is 0.0.0.0/0 for both sides instead
of 192.168.0.0/30. This blocks traffic to *all* hosts, not just the
selected range, and leads to charon trying to initiate IKE even with hosts
that are not in the specified range.

This could be construed as a misconfiguration, but my reading of the
documentation implies that it is valid to specify a range for right. I
implemented a solution in my earlier patch, and can update it if needed to
base off this branch. The basic fix I went with was to catch the
substitution of any for the actual subnet in the trap_manager install
method, and use the subnet for the traffic selector later.

Thanks,

-- Stuart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150716/82e34196/attachment.html>

More information about the Dev mailing list