[strongSwan] trap-any connection exclude some IPs from rightsubnet block

Paul Nguyen pnguyen at okta.com
Wed Jan 13 11:46:40 CET 2016


Hi Noel,

That worked! This is exactly what I needed! I tried two configurations, the second one worked.

First try using right=, didn't work

conn passthrough
  type=passthrough
  left=%any
  right=172.16.0.31
  auto=route

[root at localhost strongswan]# strongswan status
Shunted Connections:
 passthrough:  dynamic === dynamic PASS
Routed Connections:
    trap-any{1}:  ROUTED, TRANSPORT, reqid 1
    trap-any{1}:   0.0.0.0/0 === 172.16.0.0/24
Security Associations (0 up, 0 connecting):
  none



Second try using rightsubnet=, worked!



conn passthrough
  type=passthrough
  left=%any
  rightsubnet=172.16.0.31/32
  auto=route

[root at localhost strongswan]# strongswan status
Shunted Connections:
 passthrough:  dynamic === 172.16.0.31/32 PASS
Routed Connections:
    trap-any{1}:  ROUTED, TRANSPORT, reqid 1
    trap-any{1}:   0.0.0.0/0 === 172.16.0.0/24
Security Associations (1 up, 0 connecting):
    trap-any[1]: ESTABLISHED 16 seconds ago, 172.16.0.30[172.16.0.30]...172.16.0.32[172.16.0.32]
    trap-any{2}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c31c4576_i cb1e3fbe_o
    trap-any{2}:   172.16.0.30/32 === 172.16.0.32/32
[root at localhost strongswan]# ssh 172.16.0.31
Last login: Wed Jan 13 05:38:06 2016 from 172.16.0.30
[root at localhost ~]# logout
Connection to 172.16.0.31 closed.
[root at localhost strongswan]# strongswan status
Shunted Connections:
 passthrough:  dynamic === 172.16.0.31/32 PASS
Routed Connections:
    trap-any{1}:  ROUTED, TRANSPORT, reqid 1
    trap-any{1}:   0.0.0.0/0 === 172.16.0.0/24
Security Associations (1 up, 0 connecting):
    trap-any[1]: ESTABLISHED 23 seconds ago, 172.16.0.30[172.16.0.30]...172.16.0.32[172.16.0.32]
    trap-any{2}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c31c4576_i cb1e3fbe_o
    trap-any{2}:   172.16.0.30/32 === 172.16.0.32/32



Thank you!
Paul


On 1/13/16, 2:04 AM, "Noel Kuntze" <noel at familie-kuntze.de> wrote:

>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>Hello Paul,
>
>> Is it possible to exclude a list of IPs?
>Write a passthrough connection for the list of IPs that you want to exclude.
>
>> Is there a configuration that allows me to fail to a non-ipsec connection after a certain timeout period?
>As far as I am aware, there is no way to define such a thing.
>
>
>- -- 
>
>Mit freundlichen Grüßen/Kind Regards,
>Noel Kuntze
>
>GPG Key ID: 0x63EC6658
>Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2
>
>iQIcBAEBCAAGBQJWliE+AAoJEDg5KY9j7GZYvS8P/AzacDGM8Kvn6oLbltI3v+BZ
>De+b2d8v4k+RtomB/L2mN1w1Xyi+dm26Oc5Jwwu9mNUi5pDI/84b90jepopfoCk1
>7UOev92FWIzUAukokyV0s8qw+/wdfstIdAV3sH6Ef6jiqmAU0ToEtfmjZoWgEoo+
>UNeWghKsaaIwH5cEfg71W761AMWX0Wa9bfG+b5cPxKMvS5LJl2MvKK9yGybQdwKM
>enoJS69hzeyw2g7qF0mPm2Z4TJ8zARxdoNkSG2Fa0GzYR2VBsg25jYk4wD+7lDm6
>KtXjyK2JxY8YYhr8x5cGsvFXYrX/1mqIcMKq9BfjO887JN8JLbE7Ff9G5YiR6Uzv
>KX5mhAsYzozZ5hGp1e9QK57lehWgpeKgwA7kT1L+Pva+rR2FqkClSfF7aHc1BoHs
>xALdGYK6R+QNX0ddlMF+W9btjYDk82Xu1LkmknnUtbVGySLVSQOwEp8DOlWebbVR
>6VxnOhwk0DTh8MyY2KhqKydcSO+Fh4v4ZhN5xqMf0W+m+fNAHK3sTEZ6zo7pkLV4
>jLOKKnvfYPUq9NAGqLqSvR9vB3zDqS+ydNlLXMf3bl03FAmQ3skZmh80OpbVKiVH
>Jwl30TiZA83r7D5iV+WXR2/7FRKG5Eup7GtJ2uPGKn+JDk4rflVc92WYMrzj7snn
>27ZoLB7tHuk6GXjWMcGo
>=v75o
>-----END PGP SIGNATURE-----
>


More information about the Users mailing list