Is there any way to configure strongswan to automatically start encryption to a given subnet rather than specific host? For example, if I know that my hosts at w.x.y.z/28
will be have the same PSK configured. I'd like to configure all of them in one go with:
conn protected
left=%any
right=%any
rightsubnet=w.x.y.z/28
auto=route
forceencaps=no
type=transport
mobike=no
authby=psk
or similar. I want to avoid specifying each one separately. I expected the trap on routes to do the required startup as needed. But strongswan refuses to work this way and claims that installing trap failed, remote address unknown
.
Is this scenario possible in any way?
You must use Strongswan 5.3.3 or later.
See the test case trap-any in https://github.com/strongswan/strongswan/tree/master/testing/tests/ikev2/trap-any
See also Strongswan issues https://wiki.strongswan.org/issues/878 and https://wiki.strongswan.org/issues/196
Hope this helps