-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Rainer,
Yes, that would be great indeed, but judging from the description of "left", that isn't supported yet. - From the manpage of ipsec.conf about "left": "[...] To limit the connection to a specific range of hosts, a range ( 10.1.0.0-10.2.255.255 ) or a subnet ( 10.1.0.0/16 ) can be specified, and multiple addresses, ranges and subnets can be separated by commas. While one can freely combine these items, to initiate the connection at least one non-range/subnet is required." Regards, Noel Kuntze GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 18.06.2014 13:08, schrieb Rainer Klute: > On 18.06.2014 12:41, Noel Kuntze wrote: >> Yes, this is possible. >> Look at those scenarios: [1] and [2]. >> >> [1] http://www.strongswan.org/uml/testresults/ikev2/host2host-cert/ >> [2] http://www.strongswan.org/uml/testresults/ikev2/host2host-transport/ > > Thanks, Noel! > > However, this would require to configure a connection for each > host-to-host pair, i.e. O(n²) connections for n authenticated hosts. > > Wouldn't it be great if there were a simpler way, i.e. something like > > left = 192.168.1.0/24 > leftca = "C=DE, O=My Organisation, CN=My Certification Authority" > leftcert = my-cert.pem > right = 192.168.1.0/24 > rightca = %same > > in each station's ipsec.conf and with only my-cert.pem (and my-key.pem) > being station-specific? > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJToXQUAAoJEDg5KY9j7GZYef4P/382x70jROPR88Qo97CoFe8J XPvz34GxtUmKsTnYRTwiOhtokmWTImZpThnoq1gOi/AjCuF5D3QKepXw8NOTmJDX CzCe2WNkHcpVzaz893XF+9UFRqmJU73EUGPBJpeaieu9RfrUM9XPcl+qdL0Tiaxi Hleqtz2idm3xeGMaFXi2N6sIaYuqeagjcC35MPU4jl8T1WPNtmjsjgXRhiJFQFG1 LIhNXbAua1UvbVYYrQoCU5OB0PKVqcUQoQYR4HXKdJ2QI+Icd6thzpsc/a81ilf7 nIQ9if8ywhXMjqvVAfYNDQFwnyqIs/PE4sImYShpQeQQlFNm2jUQP40RXyayvXzj UFc4Cap+6yqZiUH5a1KQxjoxd7q9R3c9IwC+7mZDimQoUYm9XoXIIGb859g9KMJo U8SZOrdwXREpSGZ6rvXJG5jpUW1dt6LBba2GSPuRhcBSxZ4wjKk3EBYKIiyeXBqA uZ3d/HLHmX0WM4OZQrprJQJZ7SwNVFJhkHd82/+d+6hlCvnraE8d79WXumSMSWpA YwOjOvT2WbgldZpxTRnJwogklS3n42olb3l99z5ySiutpHAW7DKGjLySI8UcXu0V Gl/oQpaq2bDSv3PnCyGiQZtE3w5r9Z+IhFgdIifSw1b9c74hdJFQ7Z4Rw23mXtKy 4gO6Js15HWEhh88yxpzs =vV3I -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
