[strongSwan] Allowing Certain Ranges to use certain PSK in ipsec.secerts

Tobias Brunner tobias at strongswan.org
Tue Nov 5 18:45:13 CET 2013


Hi Adrian,

> Is it possible to setup ipsec.secrets to allow only certain subnets to
> use certain PSKs
> 
> 24.177.*.* : PSK “tempskforme”
> 
> Is this at all possible? How can I control which subnets are allowed to
> access my GW?

With the just released strongSwan 5.1.1 this should be possible.  This
release allows you to configure

	right=<subnet>,<or range>,<or single ips>,<or mixed>

instead of right=%any.  Then instead of configuring an IP address in
ipsec.secrets you'd configure a specific leftid for each of your
connections (of course, your clients have to accept/use that ID as
rightid), and then use that ID in ipsec.secrets to select the secret.

Regards,
Tobias





More information about the Users mailing list