[strongSwan-dev] Adding support for subnets in transport mode (Feature #196)

Daniel Palomares palomaresdaniel at gmail.com
Thu Jul 23 18:38:05 CEST 2015 

Thanks for your responses,

I still have one question which is not very clear in my mind.

Does this patch allows Subnet-to-Subnet Transport Mode or Does it allows
Host-to-Subnet Transport Mode?

The scenario I want to test is the Following:

Subnet A  ------    Strongswan GW ---------------  WAN Netwroking
---------------- Strongswan GW ---------------  Subnet B.

In this particular use case, is it possible to create a single Transport
Mode IKEv2/IPsec session between both Strongswan's Gateways so both subnets
can communicate securely?

Is there going to be a single IKEv2 session with several IPsec_SAs
concerning every single host within subnets?
If several IPsec_SA are created then I guess there will be a lot a keys
negotiatied to secure communications among all host within the subnets.

Sorry, I probably had to ask this question on the other Mailing-List ;)


Thanks a lot,


Daniel Palomares


2015-07-22 12:14 GMT+02:00 Tobias Brunner <tobias at strongswan.org>:

> Hi Stuart,
>
> > One possible trigger could be
> > right=%subnet which would point the administrator to the correct
> > configuration directive.
>
> If you literally mean %subnet (and not %<subnet definition>, which is
> used for the "allow any" functionality) then that might work, although
> there is still the problem that the syntax for the two options is
> different (but we could probably strip stuff like protocol/port and skip
> %dynamic and apply that as `right`).  Thanks for the suggestion, I'll
> look into this.
>
> > I've done some more testing, and so far the updated trap-any branch
> > works well...
>
> Thanks for testing.  I suspect there might be some issues during
> reauthentication or if dpdaction=restart is used (although these might
> be resolved by the changes in the remote-host-fallback branch, at least
> if right=%any is used, or no single addresses would be listed in
> `rightsubnet` with right=%subnet).
>
> > (*) If the secret is specified per-host, rather than for the range,
> > strongswan does work as a responder. E.G.
> >    192.168.122.0/24 : PSK "mysecret"
> > does not work while
> >    192.168.122.70 : PSK "mysecret"
> > works, albeit only for that specific remote.
>
> Correct, there is no matching for IP address identities.  See my email
> to Daniel for details.
>
> Regards,
> Tobias
>
> _______________________________________________
> Dev mailing list
> Dev at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150723/bee1ab88/attachment.html>

More information about the Dev mailing list