[strongSwan] SS501, ikev1 and per host SA's ?
Martin Willi
martin at strongswan.org
Thu Oct 11 08:17:10 CEST 2012
Hi Kimmo,
> how to do it with only one connection, I see that
> left/rightsubnetwithin is not supported in 5.x.x.
left/rightsubnetwithin is not supported in 5.x because we use IKEv2
style traffic selector narrowing for IKEv1, too.
> I'm acting as initiator and responder prefers IPV4 (SA per host) Phase
> 2 identities.
With IKEv1, you usually can't propose a /24 if the responder has a /32
configuration. It works with strongSwan, as we use this narrowing magic,
but it probably doesn't with any other implementation.
When using IKEv2 this is less of a problem, as the responder should be
capable of narrowing down the traffic selectors to a common subset.
Regards
Martin
More information about the Users
mailing list