[strongSwan] IPv6, whole /64 in transport mode
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Jan 22 20:20:05 CET 2020
That's because your configuration is incorrect.
Do not set right or left. If you do that, you can't use transport mode anymore while having rightsubnet != right and leftsubnet != left.
Am 21.01.20 um 16:59 schrieb Victor Sudakov:
> noel.kuntze+strongswan-users-ml at thermi.consulting wrote:
>> https://wiki.strongswan.org/issues/196#note-6
>>
>> Tobias is literally the person that wrote the code, so it's extremely likely that what he wrote and what the teet scenario successfully tests is what in fact works.
>
>
> No, this does not work. Probably it is not suitable for the case where
> the rightsubnet belongs to one host, not multiple hosts. IPv6 traffic
> remains unencrypted.
>
> My configs (with real IPs even):
>
> Host A (has one address)
>
> conn test-v6
> left=2001:470:35:7af::2
> right=%any
> rightsubnet=2001:19f0:8001:1219::/64
> type=transport
> authby=psk
> auto=route
>
> Host B (has multiple addresses from a /64 network)
>
> conn test-v6
> left=%any
> leftsubnet=2001:19f0:8001:1219::/64
> right=2001:470:35:7af::2
> type=transport
> authby=psk
> auto=route
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200122/0a7f214f/attachment.sig>
More information about the Users
mailing list