Is there any way to configure strongswan to automatically start encryption to a given subnet rather than specific host? For example, if I know that my hosts at w.x.y.z/28 will be have the same PSK configured. I'd like to configure all of them in one go with:
conn protected
left=%any
right=%any
rightsubnet=w.x.y.z/28
auto=route
forceencaps=no
type=transport
mobike=no
authby=psk
or similar. I want to avoid specifying each one separately. I expected the trap on routes to do the required startup as needed. But strongswan refuses to work this way and claims that installing trap failed, remote address unknown.
Is this scenario possible in any way?
Best Answer
You must use Strongswan 5.3.3 or later.
See the test case trap-any in https://github.com/strongswan/strongswan/tree/master/testing/tests/ikev2/trap-any
See also Strongswan issues https://wiki.strongswan.org/issues/878 and https://wiki.strongswan.org/issues/196
Hope this helps