Tobias, On Thu, Jul 16, 2015 at 8:56 AM, Tobias Brunner <[email protected]> wrote:
> Hi Stuart, > > > I've been looking at adding support for subnets when using transport > > mode. In our use case, it will be far more efficient to allow users to > > specify > > right=192.168.1.128/25 > > instead of having to create a separate connection config for each host. > > It appears that there has been some prior interest and work in this area: > > https://wiki.strongswan.org/issues/196 > > I've updated the trap-any branch (based on the trap-acquire-tracking > branch). Due to the changes in 5.3.0 (reqids don't identify CHILD_SAs > anymore) no additional reqids are required and no awkward SA deletion is > needed anymore. So that removes one of the reservations I had about the > previous iteration of the patch. > > And with the above patch it is actually already possible to limit the > remote hosts to specific subnets/IPs. Just set `rightsubnet` > accordingly. I added a test scenario (ikev2/trap-any) in that branch > that illustrates this (see host dave). > > Let me know if that works for you. > > Tobias, Thanks for the update; that works for our use case. I've tried the updated trap-any branch, and it works well (in very limited testing) so far with one caveat. If you specify right=%any rightsubnet=192.168.0.0/30 then things work as expected. If the administrator uses right=192.168.0.0/30 however, the proposed traffic selector is 0.0.0.0/0 for both sides instead of 192.168.0.0/30. This blocks traffic to *all* hosts, not just the selected range, and leads to charon trying to initiate IKE even with hosts that are not in the specified range. This could be construed as a misconfiguration, but my reading of the documentation implies that it is valid to specify a range for right. I implemented a solution in my earlier patch, and can update it if needed to base off this branch. The basic fix I went with was to catch the substitution of any for the actual subnet in the trap_manager install method, and use the subnet for the traffic selector later. Thanks, -- Stuart
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
