[strongSwan] IKEv2 Narrowing conformance question

Mon Jun 4 21:27:02 CEST 2012

Hi.

I have the following IPv4 IKEv2 tunnel mode setup:

192.168.10.0/24 --- GW ---|
192.168.11.0/24 --- GW ---|--- Strongswan GW --- Remote peer
192.168.12.0/24 --- GW ---|
192.168.13.0/24 --- GW ---|

The remote peer has a policy defined as 192.168.0.0\16.  On the Strongswan GW I define leftsubnet individually (I.e. 192.168.10.0/24 then 192.168.11.0/24 then 192.168.13.0/24 etc) and each SA establishes fine (this would be four separate tests with different lefsubnet definitions for each network separately).  These tests seem to indicate that narrowing is working to some degree.  However, if I use the comma separated list (I.e. leftsubnet=192.168.10.0/24,192.168.11.0/24,192.168.12.0/24,192.168.13.0/24) the proposal fails and none of the SAs establish (specifically due to the traffic selectors).  It's my impression that one of the major distinctions between IKEv1 and IKEv2 is to accommodate multiple subnets within the traffic selectors.  So I would expect the list of multiple subnets to work if narrowing was working the way it is defined.  Is my understanding incorrect?  If the remote peer fails to accommodate the list of multiple subnets is it non-conforming?

Honestly, I don't really see much value in narrowing to a single subnet like what worked initially (I.e. 192.168.10.0\24 <-> 192.168.0.0\16; 192.168.11.0\24 <-> 192.168.0.0\16).  In order to get all 4 subnets to the remote peer I would need to 1) define the remote peer with a policy of 192.168.0.0\16 and 2) define the Strongswan GW with a policy of 192.168.0.0\16.  Which means there would be no narrowing going on.  I'm at a loss trying to understand this.

Any help you could provide would be appreciated.  Thanks in advance.

Eric Johnson

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120604/29e1f2fc/attachment.html>