[strongSwan] IPv6, whole /64 in transport mode
Victor Sudakov
vas at sibptus.ru
Tue Jan 21 16:59:14 CET 2020
noel.kuntze+strongswan-users-ml at thermi.consulting wrote:
> https://wiki.strongswan.org/issues/196#note-6
>
> Tobias is literally the person that wrote the code, so it's extremely likely that what he wrote and what the teet scenario successfully tests is what in fact works.
No, this does not work. Probably it is not suitable for the case where
the rightsubnet belongs to one host, not multiple hosts. IPv6 traffic
remains unencrypted.
My configs (with real IPs even):
Host A (has one address)
conn test-v6
left=2001:470:35:7af::2
right=%any
rightsubnet=2001:19f0:8001:1219::/64
type=transport
authby=psk
auto=route
Host B (has multiple addresses from a /64 network)
conn test-v6
left=%any
leftsubnet=2001:19f0:8001:1219::/64
right=2001:470:35:7af::2
type=transport
authby=psk
auto=route
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Users
mailing list