Re: [strongSwan] IP range support
Hi Brian, > I am using strongswan-4.2.8, I have a question want to check you, does > this version have support IP range like 192.168.2.3-192.168.2.233 when > set to left|right side? 4.2.8 supports IKEv1 only, and this protocol supports full subnets only. Or is there an extension for arbitrary address ranges? The newer IKEv2 supports such address ranges, and our daemon can actually negotiated them. But: 1) there is currently no way to configure such ranges in ipsec.conf 2) the Linux kernel can handle policies with full subnets only If a range is negotiated, it gets mapped to the next larger subnet. > If not does any one have an idea to implement it? It would require major effort to extend the kernel accordingly. So it probably won't happen soon, unless somebody is willing to sponsor it. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IP range support
Hello Brian, The IKEv2 charon daemon supports arbitrary IP ranges for traffic selectors but the IPsec stack of the Linux kernel can configure subnets based on network masks only. BTW, 0.0.0.0 - 255.255.255.255 can be written as 0.0.0.0/0 Regards Andreas On 23.05.2011 07:18, Brian Zhao - 赵宪鹏 wrote: > Dear Andreas, > > > > I want to establish a VPN tunnel like below: > > Branch Office : > Local Network : x.y.z.t/a > Remote Network : 0.0.0.0 - 255.255.255.255 > > Central Office: > Local Network : 0.0.0.0- 255.255.255.255 > Remote Network : x.y.z.t/a > > > > Do strongswan-4.2.8 have support it? In other way, does IP range is > supported by strongswan? If not, then the IP range is in your plan? > > > > Thanks! > > > > > > Brian > -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IP range support
Hi Chester, > I am using strongswan-4.2.8, I have a question want to check you, does > this version have support IP range like 192.168.2.3-192.168.2.233 when > set to left|right side? No, we currently don't support arbitrary address ranges. Such ranges are simply mapped to the smallest subnet containing at least all the addresses (192.168.2.0/24 in your case). > If not does any one have an idea to implement it? You have to manually split your range into multiple subnets and use these in left|rightsubnet. For your range this would give you a list of 10 subnets: 192.168.2.3/32, 192.168.2.4/30, 192.168.2.8/29, 192.168.2.16/28, 192.168.2.32/27, 192.168.2.64/26, 192.168.2.128/26, 192.168.2.192/27, 192.168.2.224/29, 192.168.2.232/31 I just added a ticket for this [1], so we will probably add support for address ranges in one of our next releases. Regards, Tobias [1] http://wiki.strongswan.org/issues/173 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
