[strongSwan] Left subnet Limitation?
Martin Willi
martin at strongswan.org
Thu Nov 14 11:00:13 CET 2013
Hi Adrian,
> Doesn't allow more that 115 subnets.
> leftsubnet=172.16.1.0/24,172.16.2.0/24,172.16.3.0/24,172.16.4.0/24,[...]
I think this limitation is fine:
* All this subnet definitions add a traffic selector, letting your
TSi/TSr payloads grow. This creates huge packets, which is
usually bad.
* When installing kernel policies, we have to create a full mesh
between leftsubnet and rightsubnet. If you have 100 subnets in
each, this creates several thousand policies for a single
connection. Probably won't scale that well.
You should really consider simplifying your leftsubnet. 172.16.2.0/24
and 172.16.3.0/24 are actually 172.16.2.0/23, and so you can reduce all
selectors two 3-4 unified selectors.
You may also take a look at the range-split utility at [1], it
calculates the ideal subnet definition for an arbitrary IP address
range.
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=scripts/range2subnets.c;h=678a15299a06a419995ce6e4b5b23dc07c4cf3d5
More information about the Users
mailing list