Hi Stuart, > One possible trigger could be > right=%subnet which would point the administrator to the correct > configuration directive.
If you literally mean %subnet (and not %<subnet definition>, which is used for the "allow any" functionality) then that might work, although there is still the problem that the syntax for the two options is different (but we could probably strip stuff like protocol/port and skip %dynamic and apply that as `right`). Thanks for the suggestion, I'll look into this. > I've done some more testing, and so far the updated trap-any branch > works well... Thanks for testing. I suspect there might be some issues during reauthentication or if dpdaction=restart is used (although these might be resolved by the changes in the remote-host-fallback branch, at least if right=%any is used, or no single addresses would be listed in `rightsubnet` with right=%subnet). > (*) If the secret is specified per-host, rather than for the range, > strongswan does work as a responder. E.G. > 192.168.122.0/24 : PSK "mysecret" > does not work while > 192.168.122.70 : PSK "mysecret" > works, albeit only for that specific remote. Correct, there is no matching for IP address identities. See my email to Daniel for details. Regards, Tobias _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
