[strongSwan] CONFIGURATION OF MULTIPLE CHILD SAs IN IPSEC.CONF FILE
Eric Germann
ekgermann at semperen.com
Fri May 26 16:54:50 CEST 2017
You can’t do it in Strongswan directly, but if you combine SS + iptables you can (assuming Linux here, but concept is same).
rightsubnet = 172.27.186.64/28 # This puts 172.27.186.64 -> 80 in the tunnel scope
leftsubnet = 172.30.200.172/29 # This puts 172.30.200.172 -> 180 in the tunnel scope
Then in iptables, do explicit FORWARD statement for the hosts (/32’s) you want to forward. You can get as fancy or simple as you want, from all ports/protocols to individual port/protocol combinations with state tracking.
Let SS do the forwarding/crypto and the FW do the access control.
EKG
> On May 26, 2017, at 8:27 AM, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>
> Hello Chris,
>
> You can't.
>
> Kind regards,
> Noel
>
> On 26.05.2017 10:30, christopher kamutumwa wrote:
>> Hello all,
>>
>> I have a query how can i configure multiple ChildSAs in a range on ips in the ipsec.conf file e.g below ips
>>
>> right subnet = 172.27.186.71-74
>> right subnet = 172.27.186.64-66
>> left subnet = 172.30.200.172-176
>>
>> will appreciate any help rendered
>>
>> regards
>>
>> chris
>>
>>
>
> <0x0739AD6C.asc>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170526/4e2430b9/attachment.sig>
More information about the Users
mailing list