[strongSwan] Question about multiple ports in left/right subnet
martin at strongswan.org
Thu Jul 24 10:17:55 CEST 2014
> OK this implies that it will silently be replaced with %any if a range is
> encountered. It that correct?
It actually depends on the kernel backend, but for kernel-netlink this
While from a security standpoint it would be preferable to reject
(configured) port ranges instead, that won't work well if the peer
narrows the port range for some reason. It then makes sense to install
that wider policy to at least make the tunnel work for the negotiated
So this means you should actually never configure port ranges, unless
you have a custom kernel backends that supports them.
More information about the Users