[strongSwan] IPv6, whole /64 in transport mode

Victor Sudakov vas at sibptus.ru
Tue Jan 21 03:44:29 CET 2020

Noel Kuntze wrote:
> Am 20.01.20 um 17:30 schrieb Victor Sudakov:
> > Dear Colleagues,
> > 
> > If I want to set up an IPSec transport mode connection between two
> > hosts, I describe the following connection, and it works:
> > 
> > conn test-v6
> >     left=X:X:X:X::2
> >     right=Y:Y:Y:Y::10
> >     type=transport
> >     authby=psk
> >     auto=route
> > 
> > However, the remote host uses several IP addresses from the Y:Y:Y:Y::/64
> > network, not just Y:Y:Y:Y::10. There is the static address, a SLAAC
> > address, an RFC4941 outgoing address, may be more...
> > 
> > 1. How do I configure Strongswan so that the remote side can be any address
> > from the Y:Y:Y:Y::/64 network and the connection is still protected?
> > 
> > 
> Use a subnet wide transport mode config as shown on the UsableExamples page.

Dear Noel,

If you mean the "Host-To-Host transport mode" example at
this is exactly what I would like explained a bit:

1. Why does the example use "right=%any rightsubnet="
instead of just "right=" ?

2. Does not "right=%any" mean that Strongswan will try to encrypt any outgoing connection?

I've of course read man ipsec.conf, but the semantics of
{left,right}subnet in *transport* mode is still not quite clear to me.

If by "subnet wide transport mode config" you mean something else,
please point at it.

> > 2. What if both the left and right hosts are like this?

P.S. Probably I need to research how all these Strongswan options translate
to actual policies ("setkey -DP").

Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/

More information about the Users mailing list