[strongSwan] Left subnet Limitation?

Johannes Hubertz johannes at hubertz.de
Thu Nov 14 12:04:43 CET 2013


Hi,

perhaps you like to think about some simplification on your leftsubnet
definitions, please consider to use goolges python-ipaddr module, easy
going by

apt-get install python-ipaddr

Then you simply write a small script like this:

------------8<--------8<------------
# cat ip-excl.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
from ipaddr import IPv4Network, AddressValueError

# example values:
bignet="172.16.0.0/16"
subnet="172.16.0.0/24"

b = IPv4Network(bignet)
s = IPv4Network(subnet)
print b, "excluding", s
print
k = 1
e = b.address_exclude(s)
for n in e:
    print n
------------8<--------8<------------

running this will show the minimal solution:
# python ip-excl.py
172.16.0.0/16 excluding 172.16.0.0/24

172.16.1.0/24
172.16.2.0/23
172.16.4.0/22
172.16.8.0/21
172.16.16.0/20
172.16.32.0/19
172.16.64.0/18
172.16.128.0/17
#

Feel free to use other numbers, especially for the netmasks.

Have fun
Johannes







On 14.11.2013 03:30, Adrian Milanoski wrote:
> Hi all,
> 
> I think I just found a bug in the strognSwan code or even a limitation.
> 
> Option
> Leftsubnet
> 
> Doesn't allow more that 115 subnets.
> 
> E.g.
> conn ikev2_psk_FQDN_200subnets
> leftid=server
> leftsubnet=172.16.1.0/24,172.16.2.0/24,172.16.3.0/24,172.16.4.0/24,172.16.5.0/24,172.16.6.0/24,172.16.7.0/24,172.16.8.0/24,172.16.9.0/24,172.16.10.0/24,172.16.11.0/24,172.16.12.0/24,172.16.13.0/24,172.16.14.0/24,172.16.15.0/24,172.16.16.0/24,172.16.17.0/24,172.16.18.0/24,172.16.19.0/24,172.16.20.0/24,172.16.21.0/24,172.16.22.0/24,172.16.23.0/24,172.16.24.0/24,172.16.25.0/24,172.16.26.0/24,172.16.27.0/24,172.16.28.0/24,172.16.29.0/24,172.16.30.0/24,172.16.31.0/24,172.16.32.0/24,172.16.33.0/24,172.16.34.0/24,172.16.35.0/24,172.16.36.0/24,172.16.37.0/24,172.16.38.0/24,172.16.39.0/24,172.16.40.0/24,172.16.41.0/24,172.16.42.0/24,172.16.43.0/24,172.16.44.0/24,172.16.45.0/24,172.16.46.0/24,172.16.47.0/24,172.16.48.0/24,172.16.49.0/24,172.16.50.0/24,172.16.51.0/24,172.16.52.0/24,172.16.53.0/24,172.16.54.0/24,172.16.55.0/24,172.16.56.0/24,172.16.57.0/24,172.16.58.0/24,172.16.59.0/24,172.16.60.0/24,172.16.61.0/24,172.16.62.0/24,172.16.63.0/24,172.16.64.0/24,172.16.65.0/24,172.16.66.0/24,172.1
6.67.0/24,172.16.68.0/24,172.16.69.0/24,172.16.70.0/24,172.16.71.0/24,172.16.72.0/24,172.16.73.0/24,172.16.74.0/24,172.16.75.0/24,172.16.79.0/24,172.16.80.0/24,172.16.81.0/24,172.16.82.0/24,172.16.83.0/24,172.16.84.0/24,172.16.85.0/24,172.16.86.0/24,172.16.87.0/24,172.16.88.0/24,172.16.89.0/24,172.16.90.0/24,172.16.91.0/24,172.16.92.0/24,172.16.93.0/24,172.16.94.0/24,172.16.95.0/24,172.16.96.0/24,172.16.97.0/24,172.16.98.0/24,172.16.99.0/24,172.16.100.0/24,172.16.101.0/24,172.16.102.0/24,172.16.103.0/24,172.16.104.0/24,172.16.105.0/24,172.16.106.0/24,172.16.107.0/24,172.16.108.0/24,172.16.109.0/24,172.16.110.0/24,172.16.111.0/24,172.16.112.0/24,172.16.113.0/24,172.16.114.0/24,172.16.115.0/24,172.16.116.0./24,172.16.117.0/24,172.16.118.0/24,172.16.119.0/24,172.16.120.0/24,172.16.121.0/24,172.16.122.0/24,172.16.123.0/24,172.16.124.0/24,172.16.125.0/24,172.16.126.0/24,172.16.127.0/24,172.16.128.0/24,172.16.129.0/24,172.16.130.0/24,172.16.131.0/24,172.16.132.0/24,172.16.133.0/24,172.16.13
4.0/24,172.16.135.0/24,172.16.136.0/24,172.16.137.0/24,172.16.138.0/24,172.16.139.0/24,172.16.140.0/24,172.16.141.0/24,172.16.142.0/24,172.16.143.0/24,172.16.144.0/24,172.16.145.0/24,172.16.146.0/24,172.16.147.0/24,172.16.148.0/24,172.16.149.0/24,172.16.150.0/24,172.16.151.0/24,172.16.152.0/24,172.16.153.0/24,172.16.154.0/24,172.16.155.0/24,172.16.156.0/24,172.16.157.0/24,172.16.158.0/24,172.16.159.0/24,172.16.160.0/24,172.16.161.0/24,172.16.162.0/24,172.16.163.0/24,172.16.164.0/24,172.16.165.0/24,172.16.166.0/24,172.16.167.0/24,172.16.168.0/24,172.16.169.0/24,172.16.170.0/24,172.16.171.0/24,172.16.172.0/24,172.16.173.0/24,172.16.174.0/24,172.16.175.0/24,172.16.176.0/24,172.16.177.0/24,172.16.178.0/24,172.16.179.0/24,172.16.180.0/24,172.16.181.0/24,172.16.182.0/24,172.16.183.0/24,172.16.184.0/24,172.16.185.0/24,172.16.186.0/24,172.16.187.0/24,172.16.188.0/24,172.16.189.0/24,172.16.190.0/24,172.16.191.0/24,172.16.192.0/24,172.16.193.0/24,172.16.194.0/24,172.16.195.0/24,172.16.196.0/24,
172.16.197.0/24,172.16.198.0/24,172.16.199.0/24,172.16.200.0/24
> rightid=200subnetuser
> authby=secret
> 
> 
> Can anyone comment on this limitation? Is this a bug?
> 
> 
> Regards,
> 
> Adrian Milanoski
> Lab Administrator
> BBOS WiFI VPN. Security Testing - R&D
> 4715 Tahoe Blvd, Mississauga, ON, Canada, L4W 0B5
> Tel.(289) 261-5801 | Fax.(905) 629-7836
> Email  amilanoski at blackberry.com<mailto:amilanoski at blackberry.com>
> 
> 
> 
> [Description: Description: cid:image001.gif at 01CDFFB4.0099AD80][Description: Description: Description: hme_scrn_ind_new_notification_Precsn_Zen_801421_11]<http://www.blackberry.com/>
> 
> 
> 
> 
> ---------------------------------------------------------------------
> This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 


-- 
Johannes Hubertz

Geschäftsführender Gesellschafter der hubertz-it-consulting GmbH
Sitz: Grengeler Mauspfad 111a,  D-51147 Köln,  European Common,
Handelsregister:  Köln HRB55865,    Ust.-ID Nr.:  DE814465092
Tel.: +49 (0) 1607421564      Electronic Mail: it-consult at hubertz.de
GnuPG Fingerprint: a81f e2da f1f9 a0e3 be20 b2b0 005e a2e3 cff5 a06f

Ihr Service für Datenschutz und Informationssicherheit:
Verlässliche Netzwerke für vertrauliche Kommunikation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 259 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131114/3b6b3bbb/attachment.pgp>


More information about the Users mailing list