[strongSwan] Can I use %any in the "right" parameter of a connection?
Martin Willi
martin at strongswan.org
Wed Jul 30 08:47:28 CEST 2014
Dan,
> I thought I could use "%any" for the right parameter and then specify the
> exact ip addresses using the rightsubnet.
What exactly is your intention when doing so?
> right=%any
> rightsubnet=10.100.1.10[tcp/3306],10.100.1.20[tcp/3306]
> 11[CFG] installing trap failed, remote address unknown
To which IKE gateway should we initiate on matching traffic? This
information is missing from your configuration.
strongSwan currently does not support any-trap policies, where the
connection is initiated to the destination of the offending traffic.
Tobias did some work for that at [1], but this has not been integrated
to mainline yet.
If you need to cover these two hosts, just use two configurations having
"right" set to the appropriate host.
Regards
Martin
[1]http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/trap-any
More information about the Users
mailing list