[strongSwan] ipv4 and IPv6 traffice H2H ikev2 ipv6 strongswan -help
lux-integ
lux-integ at btconnect.com
Sun Sep 21 20:56:28 CEST 2014
On Saturday 30 August 2014 14:31:11 Noel Kuntze wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello luxInteg,
>
> You can have mixed IPv4 and IPv6 subnets in your right/leftsubnet settings.
> There is no difference in the syntax from iptables to ip6tables. They just
> take different subnets and some modules/targets are different or have
> different options/parameters. With IKEv2, you only need one tunnel. If you
> mix IPv4 and IPv6 subnets in the subnet settings, you get distinct IPsec
> SAs for the IPv4 subnets and the IPv6 subnets. e.g. only foo::1 == bar::1
> and 123.123.123.123/32 == 234.234.234.234/32, not foo::1 ==
> 123.123.123.123/32, obviously. The same thing happens if you have a list
> of subnets from only one IP version in your TS. The notation of several
> subnets in leftsubnet and rightsubnet is "leftsubnet =
> 123.123.123.123/24,234.234.234.234/32". There may be spaces between the
> comas and the individual subnets and between the parameter name and the
> equal sign, as well as between the equal sign and the subnets.
>
thanks AGAIN for the advice. I have two questions:-
If I have a setup as the following
Host-|netSegment1|-A-|netsegment2|-B-|Gateway|---C---|ExtGateway|-
Exthost
(Host has x509 certificate (call this Host.crt) from an intermediate CA and a
concatenated Certificate of the RootCA and the IntermediataCA
(call this CatCA.crt )
--QUESTION1
Suppose a tunnel is desired between Host and ExtHost
are multiple crl validations requred at points A, B and C ?
--QUESTION2
Does CatCA.crt only go on the host or is it required on the machines bearing
the crl(s)?
Thanks in advance
luxInteg
More information about the Users
mailing list