Project

General

Profile

Feature #196

Add support for right=%any (for auto=route)

Added by Tobias Brunner over 8 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Low
Assignee:
Tobias Brunner
Category:
charon
Target version:
5.3.3
Start date:
18.06.2012
Due date:
Estimated time:
Resolution:
Fixed

Description

We could use the addresses from the kernel's acquire to try to establish a tunnel. We could also add some something like right=<addr>, <ip-range>, <subnet>.

Related issues

Related to Feature #92: IPv6 and %defaultrouteClosed24.09.2009
Related to Feature #878: Support for remote ranges in transport modeClosed06.03.2015
Blocks Issue #513: Fully meshed VPN Sessions using right=%any is not workingClosed11.02.2014

Associated revisions

Revision 301a0bad (diff)
Added by Tobias Brunner about 5 years ago

trap-manager: Enable auto=route with right=%any for transport mode connections

Fixes #196.

History

#1 Updated by Tobias Brunner over 8 years ago

  • Assignee deleted (Martin Willi)

#2 Updated by Tobias Brunner over 6 years ago

  • Blocks Issue #513: Fully meshed VPN Sessions using right=%any is not working added

#3 Updated by Simon Deziel over 5 years ago

Adding this functionality would be very welcome. It would also bridge the gap with what Windows provides.

#4 Updated by Tobias Brunner over 5 years ago

  • Related to Feature #878: Support for remote ranges in transport mode added

#5 Updated by J. Bill Chilton over 5 years ago

Found my way to this issue when I couldn't get my right-any, auto-route config to work also.

Tobias, is there perhaps a patch to implement this behavior in existence that I could undertake to make work on v. 5.1.1?

/jwc

#6 Updated by Tobias Brunner about 5 years ago

  • Status changed from New to Closed
  • Assignee set to Tobias Brunner
  • Target version set to 5.3.3
  • Resolution set to Fixed

I've pushed this to master. With the referenced commit it is now possible to configure

conn trap-any
    right=%any
    ...
    type=transport
    auto=route

The hosts can be limited by specifying rightsubnet (e.g. rightsubnet=192.168.1.0/24,192.168.2.0/30,10.0.2.2/32). It is even possible to limit this to a specific protocol/port (for any remote host use %dynamic[<proto>/<port>], not 0.0.0.0/0[...]). A new test scenario (ikev2/trap-any, bb1d9e45) provides some examples.

Authentication can easily be done via certificates, but using PSKs is also possible. However, because there is no pattern/subnet matching for IP-based identities you need to either use a single secret for all hosts or use identities appropriately if you want to use different PSKs for different groups of hosts (e.g. use leftid=<host>@<group>.example.com and rightid=*@<group>.example.com in ipsec.conf and *@<group>.example.com : PSK "..." in ipsec.secrets).

Also available in: Atom PDF