[strongSwan] 答复: what's the expression of a range of address?

Tony.He 賀雙鳳 Tony.He at DELTAWW.COM.CN
Thu Feb 25 09:44:16 CET 2016 

Hi,

       Thanks for reply. I have checked the latest Kernel code(Git commit ID is 6dc390a). Below is the selector definition.

       /* Selector, used as selector both on policy rules (SPD) and SAs. */

struct xfrm_selector {
       xfrm_address_t   daddr;
       xfrm_address_t   saddr;
       __be16  dport;
       __be16  dport_mask;
       __be16  sport;
       __be16  sport_mask;
       __u16    family;
       __u8      prefixlen_d;
       __u8      prefixlen_s;
       __u8      proto;
       int   ifindex;
       __kernel_uid32_t       user;
};

       Seems that Kernel doesn’t support range of IP address even though RFC  http://tools.ietf.org/html/rfc4301#page-26  defines the expression of a  range IP address.
       I will try to use firewall rule or modify Kernel code if it’s necessary.

Best regards
Tony

发件人: Rayson Zhu [mailto:vfreex at gmail.com]
发送时间: 2016年2月25日 14:48
收件人: Tony.He 賀雙鳳
抄送: users at lists.strongswan.org
主题: Re: [strongSwan] what's the expression of a range of address?

You can use a firewall rule rather than narrow your tunnel for this scenario.
But, users can change their IP addresses manually to bypass your restriction if you didn't bind their MAC addresses/ports to their IP addresses.

On Thu, Feb 25, 2016 at 12:03 PM, Tony.He 賀雙鳳 <Tony.He at deltaww.com.cn<mailto:Tony.He at deltaww.com.cn>> wrote:
Hi,

       Here is the topology.
       local subnet 192.168.1.0/24<http://192.168.1.0/24> -GW A ---Internet----GW B – local subnet 192.168.2.0/24<http://192.168.2.0/24>.
       I want to only allow hosts whose IP addresses in a range to be part of the tunnel. For example, 192.168.1.2-192.168.1.8 are allowed
       in site A and 192.168.2.3-192.168.2.11 are allowed in site B. Can anyone tell me how to configure? Thanks in advance.

Best regards
Tony


*************************************************************************

This email message, including any attachments, is for the sole

use of the intended recipient(s) and may contain confidential and

privileged information. Any unauthorized review, use, disclosure or

distribution is prohibited. If you are not the intended recipient, please

contact the sender by reply e-mail and destroy all copies of the original

message. [Delta Electronics, INC. China]

*************************************************************************


_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users


*************************************************************************
This email message, including any attachments, is for the sole
use of the intended recipient(s) and may contain confidential and
privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message. [Delta Electronics, INC. China]
*************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160225/7c4c349d/attachment-0001.html>

More information about the Users mailing list