[strongSwan-dev] Adding support for subnets in transport mode (Feature #196)
palomaresdaniel at gmail.com
Thu Jul 23 18:38:05 CEST 2015
Thanks for your responses,
I still have one question which is not very clear in my mind.
Does this patch allows Subnet-to-Subnet Transport Mode or Does it allows
Host-to-Subnet Transport Mode?
The scenario I want to test is the Following:
Subnet A ------ Strongswan GW --------------- WAN Netwroking
---------------- Strongswan GW --------------- Subnet B.
In this particular use case, is it possible to create a single Transport
Mode IKEv2/IPsec session between both Strongswan's Gateways so both subnets
can communicate securely?
Is there going to be a single IKEv2 session with several IPsec_SAs
concerning every single host within subnets?
If several IPsec_SA are created then I guess there will be a lot a keys
negotiatied to secure communications among all host within the subnets.
Sorry, I probably had to ask this question on the other Mailing-List ;)
Thanks a lot,
2015-07-22 12:14 GMT+02:00 Tobias Brunner <tobias at strongswan.org>:
> Hi Stuart,
> > One possible trigger could be
> > right=%subnet which would point the administrator to the correct
> > configuration directive.
> If you literally mean %subnet (and not %<subnet definition>, which is
> used for the "allow any" functionality) then that might work, although
> there is still the problem that the syntax for the two options is
> different (but we could probably strip stuff like protocol/port and skip
> %dynamic and apply that as `right`). Thanks for the suggestion, I'll
> look into this.
> > I've done some more testing, and so far the updated trap-any branch
> > works well...
> Thanks for testing. I suspect there might be some issues during
> reauthentication or if dpdaction=restart is used (although these might
> be resolved by the changes in the remote-host-fallback branch, at least
> if right=%any is used, or no single addresses would be listed in
> `rightsubnet` with right=%subnet).
> > (*) If the secret is specified per-host, rather than for the range,
> > strongswan does work as a responder. E.G.
> > 192.168.122.0/24 : PSK "mysecret"
> > does not work while
> > 192.168.122.70 : PSK "mysecret"
> > works, albeit only for that specific remote.
> Correct, there is no matching for IP address identities. See my email
> to Daniel for details.
> Dev mailing list
> Dev at lists.strongswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dev