TransWikia.com

Strongswan transport mode ipsec within subnet

Server Fault Asked by viraptor on January 12, 2021

Is there any way to configure strongswan to automatically start encryption to a given subnet rather than specific host? For example, if I know that my hosts at w.x.y.z/28 will be have the same PSK configured. I’d like to configure all of them in one go with:

conn protected
    left=%any
    right=%any
    rightsubnet=w.x.y.z/28
    auto=route
    forceencaps=no
    type=transport
    mobike=no
    authby=psk

or similar. I want to avoid specifying each one separately. I expected the trap on routes to do the required startup as needed. But strongswan refuses to work this way and claims that installing trap failed, remote address unknown.

Is this scenario possible in any way?

One Answer

You must use Strongswan 5.3.3 or later.

See the test case trap-any in https://github.com/strongswan/strongswan/tree/master/testing/tests/ikev2/trap-any

See also Strongswan issues https://wiki.strongswan.org/issues/878 and https://wiki.strongswan.org/issues/196

Hope this helps

Answered by Ramón García on January 12, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP