Thanks for your responses, I still have one question which is not very clear in my mind.
Does this patch allows Subnet-to-Subnet Transport Mode or Does it allows Host-to-Subnet Transport Mode? The scenario I want to test is the Following: Subnet A ------ Strongswan GW --------------- WAN Netwroking ---------------- Strongswan GW --------------- Subnet B. In this particular use case, is it possible to create a single Transport Mode IKEv2/IPsec session between both Strongswan's Gateways so both subnets can communicate securely? Is there going to be a single IKEv2 session with several IPsec_SAs concerning every single host within subnets? If several IPsec_SA are created then I guess there will be a lot a keys negotiatied to secure communications among all host within the subnets. Sorry, I probably had to ask this question on the other Mailing-List ;) Thanks a lot, Daniel Palomares 2015-07-22 12:14 GMT+02:00 Tobias Brunner <[email protected]>: > Hi Stuart, > > > One possible trigger could be > > right=%subnet which would point the administrator to the correct > > configuration directive. > > If you literally mean %subnet (and not %<subnet definition>, which is > used for the "allow any" functionality) then that might work, although > there is still the problem that the syntax for the two options is > different (but we could probably strip stuff like protocol/port and skip > %dynamic and apply that as `right`). Thanks for the suggestion, I'll > look into this. > > > I've done some more testing, and so far the updated trap-any branch > > works well... > > Thanks for testing. I suspect there might be some issues during > reauthentication or if dpdaction=restart is used (although these might > be resolved by the changes in the remote-host-fallback branch, at least > if right=%any is used, or no single addresses would be listed in > `rightsubnet` with right=%subnet). > > > (*) If the secret is specified per-host, rather than for the range, > > strongswan does work as a responder. E.G. > > 192.168.122.0/24 : PSK "mysecret" > > does not work while > > 192.168.122.70 : PSK "mysecret" > > works, albeit only for that specific remote. > > Correct, there is no matching for IP address identities. See my email > to Daniel for details. > > Regards, > Tobias > > _______________________________________________ > Dev mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/dev >
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
