Hello Martin,
Is this feature "> ...smaller subnets are always installed with a higher
priority" a strongSwan specific feature or it is specified by a RFC? If the
feature is strongSwan specific, then the configuration below may not behave as
expected if the other end of the tunnel is not strongSwan.
Recall: the goal is the cipher for traffic originating from 10.5.0.1 to be
"specific_3", unless if destination is HOST1 or 2.
conn to-HOST1
also=host-host
leftsubnet=10.5.0.1
rightsubnet=10.6.0.2
esp=specific_1
auto=start
conn to-HOST2
also=host-host
leftsubnet=10.5.0.1
rightsubnet=10.6.0.3
esp=specific_2
auto=start
conn to-WORLD
also=host-host
leftsubnet=10.5.0.1
rightsubnet=0.0.0.0/0
esp=specific_3
auto=start
conn host-host
left=<IP address of left>
right=<IP address of right>
Mugur
-----Original Message-----
From: Martin Willi [mailto:[email protected]]
Sent: mardi 19 janvier 2010 14:40
To: ABULIUS, MUGUR (MUGUR)
Cc: [email protected]; SCARAZZINI, FABRICE (FABRICE); Salvarani,
Alexandro (Alex); ROSSI, MICHEL MR (MICHEL); Pisano, Stephen G (Stephen)
Subject: RE: [strongSwan] Narrowing TS for a specific host
> By which way the priority of a policy can be specified into 'ipsec.conf' file?
There is currently no way of specifying priorities manually in ipsec.conf. But
smaller subnets are always installed with a higher priority.
> [...] should be replaced by "rightsubnet=0.0.0.0/0"?
Yes, rightsubnet=0.0.0.0/0 includes all destination addresses.
Martin
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
