[strongSwan] Question about multiple ports in left/right subnet
Martin Willi
martin at strongswan.org
Thu Jul 24 10:17:55 CEST 2014
Hi Dan,
> OK this implies that it will silently be replaced with %any if a range is
> encountered. It that correct?
It actually depends on the kernel backend, but for kernel-netlink this
is true.
While from a security standpoint it would be preferable to reject
(configured) port ranges instead, that won't work well if the peer
narrows the port range for some reason. It then makes sense to install
that wider policy to at least make the tunnel work for the negotiated
ports.
So this means you should actually never configure port ranges, unless
you have a custom kernel backends that supports them.
Regards
Martin
More information about the Users
mailing list