[strongSwan] Left subnet Limitation?

Adrian Milanoski amilanoski at blackberry.com
Thu Nov 14 17:24:31 CET 2013


Hi Martin,

Thanks for the response. Simplifying the subnet was not an option unfortunately as customers are requesting this.

Appreciate your prompt response either way as always. :)


Regards,

Adrian Milanoski
Lab Administrator
BBOS WiFI VPN. Security Testing – R&D
Tel.(289) 261-5801 | Cel: (647) 289-261-5801
Email  amilanoski at blackberry.com







-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org] 
Sent: Thursday, November 14, 2013 5:00 AM
To: Adrian Milanoski
Cc: Users at lists.strongswan.org
Subject: Re: [strongSwan] Left subnet Limitation?

Hi Adrian,

> Doesn't allow more that 115 subnets.

> leftsubnet=172.16.1.0/24,172.16.2.0/24,172.16.3.0/24,172.16.4.0/24,[..
> .]

I think this limitation is fine:

      * All this subnet definitions add a traffic selector, letting your
        TSi/TSr payloads grow. This creates huge packets, which is
        usually bad.
      * When installing kernel policies, we have to create a full mesh
        between leftsubnet and rightsubnet. If you have 100 subnets in
        each, this creates several thousand policies for a single
        connection. Probably won't scale that well.

You should really consider simplifying your leftsubnet. 172.16.2.0/24 and 172.16.3.0/24 are actually 172.16.2.0/23, and so you can reduce all selectors two 3-4 unified selectors.

You may also take a look at the range-split utility at [1], it calculates the ideal subnet definition for an arbitrary IP address range.

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=scripts/range2subnets.c;h=678a15299a06a419995ce6e4b5b23dc07c4cf3d5

---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.


More information about the Users mailing list