[strongSwan] Question about multiple ports in left/right subnet

Martin Willi martin at strongswan.org
Thu Jul 24 10:17:55 CEST 2014

Hi Dan,

> OK this implies that it will silently be replaced with %any if a range is
> encountered.  It that correct?

It actually depends on the kernel backend, but for kernel-netlink this
is true.

While from a security standpoint it would be preferable to reject
(configured) port ranges instead, that won't work well if the peer
narrows the port range for some reason. It then makes sense to install
that wider policy to at least make the tunnel work for the negotiated

So this means you should actually never configure port ranges, unless
you have a custom kernel backends that supports them.


More information about the Users mailing list