[strongSwan] IPv6, whole /64 in transport mode
Victor Sudakov
vas at sibptus.ru
Tue Jan 21 09:27:03 CET 2020
Victor Sudakov wrote:
>
> If you mean the "Host-To-Host transport mode" example at
> https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples
> this is exactly what I would like explained a bit:
>
> 1. Why does the example use "right=%any rightsubnet=192.168.1.0/24"
> instead of just "right=192.168.1.0/24" ?
>
> 2. Does not "right=%any" mean that Strongswan will try to encrypt any outgoing connection?
>
> I've of course read man ipsec.conf, but the semantics of
> {left,right}subnet in *transport* mode is still not quite clear to me.
If I understand correctly then
1. "{left,right}subnet" means the traffic which should trigger the creation of a SA.
2. {left,right} mean the SA peers (endpoints).
Is this correct?
Still I don't understand why the example uses "right=%any" for multiple
hosts from the "rightsubnet". How is that (SA peer selection?) is
supposed to work?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Users
mailing list