[strongSwan-dev] Adding support for subnets in transport mode (Feature #196)
palomaresdaniel at gmail.com
Tue Jul 21 17:24:08 CEST 2015
I'm interested in using Transport Mode for subnets.
I found the Test Scenario description here:
[ Didn't find it on: https://www.strongswan.org/testresults.html ]
And the trap manager patch here:
Do I need anything else to make it work?
Correct me if I'm wrong, this only works with Certificate-based
authentication (CA) and not Pre-Shared Keys (PSK)?
2015-07-16 14:56 GMT+02:00 Tobias Brunner <tobias at strongswan.org>:
> Hi Stuart,
> > I've been looking at adding support for subnets when using transport
> > mode. In our use case, it will be far more efficient to allow users to
> > specify
> > right=192.168.1.128/25
> > instead of having to create a separate connection config for each host.
> > It appears that there has been some prior interest and work in this area:
> > https://wiki.strongswan.org/issues/196
> I've updated the trap-any branch (based on the trap-acquire-tracking
> branch). Due to the changes in 5.3.0 (reqids don't identify CHILD_SAs
> anymore) no additional reqids are required and no awkward SA deletion is
> needed anymore. So that removes one of the reservations I had about the
> previous iteration of the patch.
> And with the above patch it is actually already possible to limit the
> remote hosts to specific subnets/IPs. Just set `rightsubnet`
> accordingly. I added a test scenario (ikev2/trap-any) in that branch
> that illustrates this (see host dave).
> Let me know if that works for you.
> Dev mailing list
> Dev at lists.strongswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dev