[strongSwan-dev] Adding support for subnets in transport mode (Feature #196)

Tobias Brunner tobias at strongswan.org
Thu Jul 23 19:35:55 CEST 2015

Hi Daniel,

> I still have one question which is not very clear in my mind.
> Does this patch allows Subnet-to-Subnet Transport Mode or Does it allows
> Host-to-Subnet Transport Mode?

Neither.  This is to simplify configuration of fully-meshed VPNs between
a number of peers.  IKE and IPsec SAs between the peers are established
on demand based on the traffic between them.

> The scenario I want to test is the Following:
> Subnet A  ------    Strongswan GW ---------------  WAN Netwroking
> ---------------- Strongswan GW ---------------  Subnet B.
> In this particular use case, is it possible to create a single Transport
> Mode IKEv2/IPsec session between both Strongswan's Gateways so both
> subnets can communicate securely?

No, that's currently not possible with strongSwan.  This scenario is
just what tunnel mode is for (or GRE over a transport mode IPsec SA).

IPsec SAs are usually identified by the Protocol, SPI and destination
address (and often even the source address).  So to decrypt packets
from/to all hosts transparently a gateway would have to install a whole
bunch of duplicate SAs (same SPIs, same keys, but different addresses),
at least as long as the OS' IPsec stack does not have support for this.
 Not sure if that would even work, but I doubt it would scale well.


More information about the Dev mailing list