Thanks for the Answer Tobias, I got it.
Daniel 2015-07-23 19:35 GMT+02:00 Tobias Brunner <[email protected]>: > Hi Daniel, > > > I still have one question which is not very clear in my mind. > > > > Does this patch allows Subnet-to-Subnet Transport Mode or Does it allows > > Host-to-Subnet Transport Mode? > > Neither. This is to simplify configuration of fully-meshed VPNs between > a number of peers. IKE and IPsec SAs between the peers are established > on demand based on the traffic between them. > > > The scenario I want to test is the Following: > > > > Subnet A ------ Strongswan GW --------------- WAN Netwroking > > ---------------- Strongswan GW --------------- Subnet B. > > > > In this particular use case, is it possible to create a single Transport > > Mode IKEv2/IPsec session between both Strongswan's Gateways so both > > subnets can communicate securely? > > No, that's currently not possible with strongSwan. This scenario is > just what tunnel mode is for (or GRE over a transport mode IPsec SA). > > IPsec SAs are usually identified by the Protocol, SPI and destination > address (and often even the source address). So to decrypt packets > from/to all hosts transparently a gateway would have to install a whole > bunch of duplicate SAs (same SPIs, same keys, but different addresses), > at least as long as the OS' IPsec stack does not have support for this. > Not sure if that would even work, but I doubt it would scale well. > > Regards, > Tobias > >
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
