[strongSwan] Can I use %any in the "right" parameter of a connection?
Dan Cook
onedsc at gmail.com
Wed Jul 30 18:44:56 CEST 2014
Martin,
I realized after I sent the email that it was missing the "rightid"
parameter. The connection is transport o there is no gateway involved.
My use case is where the peer is known by multiple IP addresses
(Multi-NIC). Also I was planning to eventually add an ipv6 address there
as well.
This allows me to encapsulate the peer into one "connection" as identified
by the rightid entry instead of having multiple connection entries, which
is what I really what I want to do.
Dan
On Tue, Jul 29, 2014 at 11:47 PM, Martin Willi <martin at strongswan.org>
wrote:
> Dan,
>
> > I thought I could use "%any" for the right parameter and then specify the
> > exact ip addresses using the rightsubnet.
>
> What exactly is your intention when doing so?
>
> > right=%any
> > rightsubnet=10.100.1.10[tcp/3306],10.100.1.20[tcp/3306]
>
> > 11[CFG] installing trap failed, remote address unknown
>
> To which IKE gateway should we initiate on matching traffic? This
> information is missing from your configuration.
>
> strongSwan currently does not support any-trap policies, where the
> connection is initiated to the destination of the offending traffic.
> Tobias did some work for that at [1], but this has not been integrated
> to mainline yet.
>
> If you need to cover these two hosts, just use two configurations having
> "right" set to the appropriate host.
>
> Regards
> Martin
>
> [1]
> http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/trap-any
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140730/9a25b054/attachment-0001.html>
More information about the Users
mailing list