[strongSwan] Encrypting a local network

Noel Kuntze noel at familie-kuntze.de
Wed Jun 18 13:12:20 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Rainer,

Yes, that would be great indeed, but judging from the description of "left", that isn't supported yet.
- From the manpage of ipsec.conf about "left":

"[...] To limit the connection to a  specific range of hosts, a range ( 10.1.0.0-10.2.255.255 ) or a subnet ( 10.1.0.0/16 ) can be specified, and multiple addresses,  ranges  and
subnets can be separated by commas. While one can freely combine these items, to initiate the connection at least one non-range/subnet is required."

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 18.06.2014 13:08, schrieb Rainer Klute:
> On 18.06.2014 12:41, Noel Kuntze wrote:
>> Yes, this is possible.
>> Look at those scenarios: [1] and [2].
>>
>> [1] http://www.strongswan.org/uml/testresults/ikev2/host2host-cert/
>> [2] http://www.strongswan.org/uml/testresults/ikev2/host2host-transport/
>
> Thanks, Noel!
>
> However, this would require to configure a connection for each
> host-to-host pair, i.e. O(n²) connections for n authenticated hosts.
>
> Wouldn't it be great if there were a simpler way, i.e. something like
>
> left = 192.168.1.0/24
> leftca = "C=DE, O=My Organisation, CN=My Certification Authority"
> leftcert = my-cert.pem
> right = 192.168.1.0/24
> rightca = %same
>
> in each station's ipsec.conf and with only my-cert.pem (and my-key.pem)
> being station-specific?
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJToXQUAAoJEDg5KY9j7GZYef4P/382x70jROPR88Qo97CoFe8J
XPvz34GxtUmKsTnYRTwiOhtokmWTImZpThnoq1gOi/AjCuF5D3QKepXw8NOTmJDX
CzCe2WNkHcpVzaz893XF+9UFRqmJU73EUGPBJpeaieu9RfrUM9XPcl+qdL0Tiaxi
Hleqtz2idm3xeGMaFXi2N6sIaYuqeagjcC35MPU4jl8T1WPNtmjsjgXRhiJFQFG1
LIhNXbAua1UvbVYYrQoCU5OB0PKVqcUQoQYR4HXKdJ2QI+Icd6thzpsc/a81ilf7
nIQ9if8ywhXMjqvVAfYNDQFwnyqIs/PE4sImYShpQeQQlFNm2jUQP40RXyayvXzj
UFc4Cap+6yqZiUH5a1KQxjoxd7q9R3c9IwC+7mZDimQoUYm9XoXIIGb859g9KMJo
U8SZOrdwXREpSGZ6rvXJG5jpUW1dt6LBba2GSPuRhcBSxZ4wjKk3EBYKIiyeXBqA
uZ3d/HLHmX0WM4OZQrprJQJZ7SwNVFJhkHd82/+d+6hlCvnraE8d79WXumSMSWpA
YwOjOvT2WbgldZpxTRnJwogklS3n42olb3l99z5ySiutpHAW7DKGjLySI8UcXu0V
Gl/oQpaq2bDSv3PnCyGiQZtE3w5r9Z+IhFgdIifSw1b9c74hdJFQ7Z4Rw23mXtKy
4gO6Js15HWEhh88yxpzs
=vV3I
-----END PGP SIGNATURE-----



More information about the Users mailing list