[strongSwan-dev] Adding support for subnets in transport mode (Feature #196)

Daniel Palomares palomaresdaniel at gmail.com
Tue Jul 21 17:24:08 CEST 2015

Hello all,

I'm interested in using Transport Mode for subnets.

I found the Test Scenario description here:
[ Didn't find it on: https://www.strongswan.org/testresults.html ]

And the trap manager patch here:

Do I need anything else to make it work?

Correct me if I'm wrong, this only works with Certificate-based
authentication (CA) and not Pre-Shared Keys (PSK)?

Thank you!

Daniel Palomares

Daniel Palomares

2015-07-16 14:56 GMT+02:00 Tobias Brunner <tobias at strongswan.org>:

> Hi Stuart,
> > I've been looking at adding support for subnets when using transport
> > mode. In our use case, it will be far more efficient to allow users to
> > specify
> >     right=
> > instead of having to create a separate connection config for each host.
> > It appears that there has been some prior interest and work in this area:
> >   https://wiki.strongswan.org/issues/196
> I've updated the trap-any branch (based on the trap-acquire-tracking
> branch).  Due to the changes in 5.3.0 (reqids don't identify CHILD_SAs
> anymore) no additional reqids are required and no awkward SA deletion is
> needed anymore.  So that removes one of the reservations I had about the
> previous iteration of the patch.
> And with the above patch it is actually already possible to limit the
> remote hosts to specific subnets/IPs.  Just set `rightsubnet`
> accordingly.  I added a test scenario (ikev2/trap-any) in that branch
> that illustrates this (see host dave).
> Let me know if that works for you.
> Regards,
> Tobias
> _______________________________________________
> Dev mailing list
> Dev at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150721/9c44ccb0/attachment.html>

More information about the Dev mailing list