[strongSwan] trap-any connection exclude some IPs from rightsubnet block
Paul Nguyen
pnguyen at okta.com
Wed Jan 13 08:03:31 CET 2016
Hello,
I'm running StrongSwan 5.3.5, and have the following configuration for host-to-host encryption:
conn trap-any
type=transport
authby=psk
aggressive=no
left=%any
right=%any
rightsubnet=172.16.0.0/24
keyexchange=ikev2
ike=aes128gcm128-sha256-ecp256
esp=aes128gcm128
auto=route
I need to connect to some hosts in the 172.16.0.0/24 subnet without ipsec. Is it possible to exclude a list of IPs? Is there a configuration that allows me to fail to a non-ipsec connection after a certain timeout period?
I would like to timeout connection trap-any[1], and fail to a non-encrypted connection.
[root at localhost strongswan]# strongswan status
Routed Connections:
trap-any{1}: ROUTED, TRANSPORT, reqid 1
trap-any{1}: 0.0.0.0/0 === 172.16.0.0/24
Security Associations (0 up, 1 connecting):
trap-any[1]: CONNECTING, 172.16.0.30[%any]...172.16.0.31[%any]
Thanks!
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160113/f7dc26b3/attachment-0001.html>
More information about the Users
mailing list