[strongSwan] CONFIGURATION OF MULTIPLE CHILD SAs IN IPSEC.CONF FILE
ekgermann at semperen.com
Fri May 26 16:54:50 CEST 2017
You can’t do it in Strongswan directly, but if you combine SS + iptables you can (assuming Linux here, but concept is same).
rightsubnet = 172.27.186.64/28 # This puts 172.27.186.64 -> 80 in the tunnel scope
leftsubnet = 172.30.200.172/29 # This puts 172.30.200.172 -> 180 in the tunnel scope
Then in iptables, do explicit FORWARD statement for the hosts (/32’s) you want to forward. You can get as fancy or simple as you want, from all ports/protocols to individual port/protocol combinations with state tracking.
Let SS do the forwarding/crypto and the FW do the access control.
> On May 26, 2017, at 8:27 AM, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
> Hello Chris,
> You can't.
> Kind regards,
> On 26.05.2017 10:30, christopher kamutumwa wrote:
>> Hello all,
>> I have a query how can i configure multiple ChildSAs in a range on ips in the ipsec.conf file e.g below ips
>> right subnet = 172.27.186.71-74
>> right subnet = 172.27.186.64-66
>> left subnet = 172.30.200.172-176
>> will appreciate any help rendered
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: Message signed with OpenPGP
More information about the Users