Hi Stuart, > I've been looking at adding support for subnets when using transport > mode. In our use case, it will be far more efficient to allow users to > specify > right=192.168.1.128/25 > instead of having to create a separate connection config for each host. > It appears that there has been some prior interest and work in this area: > https://wiki.strongswan.org/issues/196
I've updated the trap-any branch (based on the trap-acquire-tracking branch). Due to the changes in 5.3.0 (reqids don't identify CHILD_SAs anymore) no additional reqids are required and no awkward SA deletion is needed anymore. So that removes one of the reservations I had about the previous iteration of the patch. And with the above patch it is actually already possible to limit the remote hosts to specific subnets/IPs. Just set `rightsubnet` accordingly. I added a test scenario (ikev2/trap-any) in that branch that illustrates this (see host dave). Let me know if that works for you. Regards, Tobias _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
