[strongSwan] IPv6, whole /64 in transport mode
Victor Sudakov
vas at sibptus.ru
Tue Jan 21 03:44:29 CET 2020
Noel Kuntze wrote:
> Am 20.01.20 um 17:30 schrieb Victor Sudakov:
> > Dear Colleagues,
> >
> > If I want to set up an IPSec transport mode connection between two
> > hosts, I describe the following connection, and it works:
> >
> > conn test-v6
> > left=X:X:X:X::2
> > right=Y:Y:Y:Y::10
> > type=transport
> > authby=psk
> > auto=route
> >
> > However, the remote host uses several IP addresses from the Y:Y:Y:Y::/64
> > network, not just Y:Y:Y:Y::10. There is the static address, a SLAAC
> > address, an RFC4941 outgoing address, may be more...
> >
> > 1. How do I configure Strongswan so that the remote side can be any address
> > from the Y:Y:Y:Y::/64 network and the connection is still protected?
> >
> >
>
> Use a subnet wide transport mode config as shown on the UsableExamples page.
Dear Noel,
If you mean the "Host-To-Host transport mode" example at
https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
this is exactly what I would like explained a bit:
1. Why does the example use "right=%any rightsubnet=192.168.1.0/24"
instead of just "right=192.168.1.0/24" ?
2. Does not "right=%any" mean that Strongswan will try to encrypt any outgoing connection?
I've of course read man ipsec.conf, but the semantics of
{left,right}subnet in *transport* mode is still not quite clear to me.
If by "subnet wide transport mode config" you mean something else,
please point at it.
> > 2. What if both the left and right hosts are like this?
P.S. Probably I need to research how all these Strongswan options translate
to actual policies ("setkey -DP").
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Users
mailing list