[strongSwan-dev] Adding support for subnets in transport mode (Feature #196)

Tobias Brunner tobias at strongswan.org
Wed Jul 22 12:14:08 CEST 2015


Hi Daniel,

> And the trap manager patch here:
> https://git.strongswan.org/?p=strongswan.git;a=commit;h=7b3b674fae4ecc3ae2a1a07a1701dcf6f72b4bd7
> 
> Do I need anything else to make it work?

As Stuart already mentioned you'll need the changes in the
trap-acquire-tracking branch.  And you'll need the reqid changes in 5.3.x.

> Correct me if I'm wrong, this only works with Certificate-based
> authentication (CA) and not Pre-Shared Keys (PSK)?

There is no reason for it not to work with PSKs.  Actually, the test
scenario uses PSKs (although with a single secret for all hosts).  But
it works pretty much the same if you want to limit the PSKs to just a
group of hosts, just make sure to use appropriate identities, that is,
using IP addresses (the default) won't work that well as there is no
matching for these (so you'd have to add the same secret for every
possible remote IP).  But using email addresses or hostnames works fine,
then you can e.g. use <host>@<groupid>.example.com as leftid and
*@<groupid>.example.com as rightid and define the PSK with that same
wildcard identity (this works similarly for hostnames).

Regards,
Tobias



More information about the Dev mailing list