[strongSwan-dev] Adding support for subnets in transport mode (Feature #196)

Daniel Palomares palomaresdaniel at gmail.com
Fri Jul 24 08:57:11 CEST 2015

Thanks for the Answer Tobias,

I got it.


2015-07-23 19:35 GMT+02:00 Tobias Brunner <tobias at strongswan.org>:

> Hi Daniel,
> > I still have one question which is not very clear in my mind.
> >
> > Does this patch allows Subnet-to-Subnet Transport Mode or Does it allows
> > Host-to-Subnet Transport Mode?
> Neither.  This is to simplify configuration of fully-meshed VPNs between
> a number of peers.  IKE and IPsec SAs between the peers are established
> on demand based on the traffic between them.
> > The scenario I want to test is the Following:
> >
> > Subnet A  ------    Strongswan GW ---------------  WAN Netwroking
> > ---------------- Strongswan GW ---------------  Subnet B.
> >
> > In this particular use case, is it possible to create a single Transport
> > Mode IKEv2/IPsec session between both Strongswan's Gateways so both
> > subnets can communicate securely?
> No, that's currently not possible with strongSwan.  This scenario is
> just what tunnel mode is for (or GRE over a transport mode IPsec SA).
> IPsec SAs are usually identified by the Protocol, SPI and destination
> address (and often even the source address).  So to decrypt packets
> from/to all hosts transparently a gateway would have to install a whole
> bunch of duplicate SAs (same SPIs, same keys, but different addresses),
> at least as long as the OS' IPsec stack does not have support for this.
>  Not sure if that would even work, but I doubt it would scale well.
> Regards,
> Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150724/b905ef62/attachment.html>

More information about the Dev mailing list