[strongSwan-dev] Adding support for subnets in transport mode (Feature #196)
Daniel Palomares
palomaresdaniel at gmail.com
Tue Jul 21 17:24:08 CEST 2015
Hello all,
I'm interested in using Transport Mode for subnets.
I found the Test Scenario description here:
https://git.strongswan.org/?p=strongswan.git;a=commit;h=d8a5f15f6a0c7665527e2e788001d63e12790f27
[ Didn't find it on: https://www.strongswan.org/testresults.html ]
And the trap manager patch here:
https://git.strongswan.org/?p=strongswan.git;a=commit;h=7b3b674fae4ecc3ae2a1a07a1701dcf6f72b4bd7
Do I need anything else to make it work?
Correct me if I'm wrong, this only works with Certificate-based
authentication (CA) and not Pre-Shared Keys (PSK)?
Thank you!
Daniel Palomares
Daniel Palomares
2015-07-16 14:56 GMT+02:00 Tobias Brunner <tobias at strongswan.org>:
> Hi Stuart,
>
> > I've been looking at adding support for subnets when using transport
> > mode. In our use case, it will be far more efficient to allow users to
> > specify
> > right=192.168.1.128/25
> > instead of having to create a separate connection config for each host.
> > It appears that there has been some prior interest and work in this area:
> > https://wiki.strongswan.org/issues/196
>
> I've updated the trap-any branch (based on the trap-acquire-tracking
> branch). Due to the changes in 5.3.0 (reqids don't identify CHILD_SAs
> anymore) no additional reqids are required and no awkward SA deletion is
> needed anymore. So that removes one of the reservations I had about the
> previous iteration of the patch.
>
> And with the above patch it is actually already possible to limit the
> remote hosts to specific subnets/IPs. Just set `rightsubnet`
> accordingly. I added a test scenario (ikev2/trap-any) in that branch
> that illustrates this (see host dave).
>
> Let me know if that works for you.
>
> Regards,
> Tobias
>
> _______________________________________________
> Dev mailing list
> Dev at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150721/9c44ccb0/attachment.html>
More information about the Dev
mailing list