[strongSwan-dev] Adding support for subnets in transport mode (Feature #196)
Daniel Palomares
palomaresdaniel at gmail.com
Fri Jul 24 08:57:11 CEST 2015
Thanks for the Answer Tobias,
I got it.
Daniel
2015-07-23 19:35 GMT+02:00 Tobias Brunner <tobias at strongswan.org>:
> Hi Daniel,
>
> > I still have one question which is not very clear in my mind.
> >
> > Does this patch allows Subnet-to-Subnet Transport Mode or Does it allows
> > Host-to-Subnet Transport Mode?
>
> Neither. This is to simplify configuration of fully-meshed VPNs between
> a number of peers. IKE and IPsec SAs between the peers are established
> on demand based on the traffic between them.
>
> > The scenario I want to test is the Following:
> >
> > Subnet A ------ Strongswan GW --------------- WAN Netwroking
> > ---------------- Strongswan GW --------------- Subnet B.
> >
> > In this particular use case, is it possible to create a single Transport
> > Mode IKEv2/IPsec session between both Strongswan's Gateways so both
> > subnets can communicate securely?
>
> No, that's currently not possible with strongSwan. This scenario is
> just what tunnel mode is for (or GRE over a transport mode IPsec SA).
>
> IPsec SAs are usually identified by the Protocol, SPI and destination
> address (and often even the source address). So to decrypt packets
> from/to all hosts transparently a gateway would have to install a whole
> bunch of duplicate SAs (same SPIs, same keys, but different addresses),
> at least as long as the OS' IPsec stack does not have support for this.
> Not sure if that would even work, but I doubt it would scale well.
>
> Regards,
> Tobias
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150724/b905ef62/attachment.html>
More information about the Dev
mailing list