[strongSwan] IKEv2 Narrowing conformance question

Hans-Kristian Bakke hkbakke at gmail.com
Wed Jun 6 15:15:15 CEST 2012 

I have no comment for your question about listing individual subnets
with Charon, but strictly speaking the "narrowest" subnet for the
range 192.168.10.0-192.168.14.255 is 192.168.8.0/21 not
192.168.0.0/16.

Regards,
Hans-Kristian Bakke

On 4 June 2012 21:27,  <Eric_C_Johnson at dell.com> wrote:
> Hi.
>
>
>
> I have the following IPv4 IKEv2 tunnel mode setup:
>
>
>
> 192.168.10.0/24 --- GW ---|
>
> 192.168.11.0/24 --- GW ---|--- Strongswan GW --- Remote peer
>
> 192.168.12.0/24 --- GW ---|
>
> 192.168.13.0/24 --- GW ---|
>
>
>
> The remote peer has a policy defined as 192.168.0.0\16.  On the Strongswan
> GW I define leftsubnet individually (I.e. 192.168.10.0/24 then
> 192.168.11.0/24 then 192.168.13.0/24 etc) and each SA establishes fine (this
> would be four separate tests with different lefsubnet definitions for each
> network separately).  These tests seem to indicate that narrowing is working
> to some degree.  However, if I use the comma separated list (I.e.
> leftsubnet=192.168.10.0/24,192.168.11.0/24,192.168.12.0/24,192.168.13.0/24)
> the proposal fails and none of the SAs establish (specifically due to the
> traffic selectors).  It’s my impression that one of the major distinctions
> between IKEv1 and IKEv2 is to accommodate multiple subnets within the
> traffic selectors.  So I would expect the list of multiple subnets to work
> if narrowing was working the way it is defined.  Is my understanding
> incorrect?  If the remote peer fails to accommodate the list of multiple
> subnets is it non-conforming?
>
>
>
> Honestly, I don’t really see much value in narrowing to a single subnet like
> what worked initially (I.e. 192.168.10.0\24 <–> 192.168.0.0\16;
> 192.168.11.0\24 <–> 192.168.0.0\16).  In order to get all 4 subnets to the
> remote peer I would need to 1) define the remote peer with a policy of
> 192.168.0.0\16 and 2) define the Strongswan GW with a policy of
> 192.168.0.0\16.  Which means there would be no narrowing going on.  I’m at a
> loss trying to understand this.
>
>
>
> Any help you could provide would be appreciated.  Thanks in advance.
>
>
>
> Eric Johnson
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list