Hello all, I'm interested in using Transport Mode for subnets.
I found the Test Scenario description here: https://git.strongswan.org/?p=strongswan.git;a=commit;h=d8a5f15f6a0c7665527e2e788001d63e12790f27 [ Didn't find it on: https://www.strongswan.org/testresults.html ] And the trap manager patch here: https://git.strongswan.org/?p=strongswan.git;a=commit;h=7b3b674fae4ecc3ae2a1a07a1701dcf6f72b4bd7 Do I need anything else to make it work? Correct me if I'm wrong, this only works with Certificate-based authentication (CA) and not Pre-Shared Keys (PSK)? Thank you! Daniel Palomares Daniel Palomares 2015-07-16 14:56 GMT+02:00 Tobias Brunner <[email protected]>: > Hi Stuart, > > > I've been looking at adding support for subnets when using transport > > mode. In our use case, it will be far more efficient to allow users to > > specify > > right=192.168.1.128/25 > > instead of having to create a separate connection config for each host. > > It appears that there has been some prior interest and work in this area: > > https://wiki.strongswan.org/issues/196 > > I've updated the trap-any branch (based on the trap-acquire-tracking > branch). Due to the changes in 5.3.0 (reqids don't identify CHILD_SAs > anymore) no additional reqids are required and no awkward SA deletion is > needed anymore. So that removes one of the reservations I had about the > previous iteration of the patch. > > And with the above patch it is actually already possible to limit the > remote hosts to specific subnets/IPs. Just set `rightsubnet` > accordingly. I added a test scenario (ikev2/trap-any) in that branch > that illustrates this (see host dave). > > Let me know if that works for you. > > Regards, > Tobias > > _______________________________________________ > Dev mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/dev >
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
