[strongSwan] addrblock

Modster, Anthony Anthony.Modster at Teledyne.com
Tue Jan 21 19:53:15 CET 2020


If the parameter charon.plugins.addrblock.strict = "no", and address blocks exist in the certificates.

Will the addrblock plugin try to set the traffic selectors ?

The pki tool<https://wiki.strongswan.org/projects/strongswan/wiki/IpsecPki> gained support for generating certificates with RFC 3779<https://tools.ietf.org/html/rfc3779> addrblock extensions. The charon addrblock plugin now dynamically narrows traffic selectors based on the certificate's addrblocks instead of rejecting non-matching selectors completely. This allows generic connections, where the allowed selectors are defined by the used certificates only.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200121/bf19e788/attachment.html>

More information about the Users mailing list