[strongSwan-dev] Adding support for subnets in transport mode (Feature #196)

Tobias Brunner tobias at strongswan.org
Wed Jul 22 12:14:10 CEST 2015

Hi Stuart,

> One possible trigger could be
> right=%subnet which would point the administrator to the correct
> configuration directive.

If you literally mean %subnet (and not %<subnet definition>, which is
used for the "allow any" functionality) then that might work, although
there is still the problem that the syntax for the two options is
different (but we could probably strip stuff like protocol/port and skip
%dynamic and apply that as `right`).  Thanks for the suggestion, I'll
look into this.

> I've done some more testing, and so far the updated trap-any branch
> works well...

Thanks for testing.  I suspect there might be some issues during
reauthentication or if dpdaction=restart is used (although these might
be resolved by the changes in the remote-host-fallback branch, at least
if right=%any is used, or no single addresses would be listed in
`rightsubnet` with right=%subnet).

> (*) If the secret is specified per-host, rather than for the range,
> strongswan does work as a responder. E.G.
> : PSK "mysecret"
> does not work while
> : PSK "mysecret"
> works, albeit only for that specific remote.

Correct, there is no matching for IP address identities.  See my email
to Daniel for details.


More information about the Dev mailing list