[strongSwan] Scalable deployment
Martin Willi
martin at strongswan.org
Mon Jan 3 12:01:48 CET 2011
Hi Yaron,
> I would like to define the policy so that I don't have to touch all
> existing servers when I add a new one to the group.
You can define a connection with rightid=%any or use a wildcard
identity. For a responder configuration, using right=%any allows you to
accept any initiator that has a valid certificate.
> In other words, a generic policy for all potential peers (taken from
> a certain subnet).
Initiating a transport mode SA without an explicit configuration, at
least on the initiator, is not possible. We could dynamically create a
configuration based on a triggering packet, but we currently don't
support such a feature.
> Is %group still supported for IKEv1? Is there a
> way to get similar functionality in Charon?
I've never used it, don't know if it still works. Charon does not know
that keyword.
Regards
Martin
More information about the Users
mailing list