[strongSwan] IKEv2 TS narrowing
Martin Willi
martin at strongswan.org
Tue May 15 09:10:19 CEST 2012
Hi Eric,
> Initiator (Strongswan) ---- Responder
> Defined host (i.e. 10.1.1.1) ---- defined network (I.e. 10.0.0.0\8)
> Defined subnet (i.e. 10.1.1.0\24) ---- defined network (I.e. 10.0.0.0\8)
> Defined Wildcard (i.e. 0.0.0.0.0\0) ---- defined network (I.e. 10.0.0.0\8)
> Defined network (i.e. 10.0.0.0\8) ---- defined network (I.e. 10.0.0.0\8)
>
> If so, what entries on the Strongswan host would I need to enter to make this work?
Just define left/rightsubnet to the Traffic Selectors strongSwan should
propose. You can also define multiple subnets in IKEv2 by separating
them with commas.
> I also need to introduce similar configs for port\protocol based
> narrowing as well. So I could use some insight into that as well.
The left/rightprotoport options define the protocol and a single port.
We currently can't define full port ranges through ipsec.conf.
man ipsec.conf for details about these options.
Regards
Martin
More information about the Users
mailing list