[Openswan Users] Does "leftsubnet" support IP range format?

Yang Hsiung yhsiung at zyxel.com
Mon Aug 5 18:12:43 UTC 2013 

Hi,

I found a Openswan Users thread was discussing about the same question
three years ago  as below:
============================================================
Re: [Openswan Users] IP subnet range

On Mon, 19 Apr 2010, Mike A. Leonetti wrote:

> Is there a way to set the subnet to an IP range instead of an entire
> subnet?  I need to satisfy this message when I try and bring up a VPN to
> a Sonicwall.
>
> peer client ID payload in Quick I1, ID_IPV4_ADDR_RANGE 192.168.1.21 -
> 192.168.1.22 unacceptable: not a valid subnet

It has to be CIDR notation. Any other "ranges" are not allowed, and you'll
have to split it out into multiple CIDR's if possible.

Paul
============================================================================

According to Mr. Paul Wouters's answer, Openswan only takes the CIDR notation
as the IP subnet range. I'm wondering is it still the limitation for the
latest (2.6.39) Openswan release? If so, does that mean Openswan cannot handle
the ID_IPV4_ADDR_RANGE ID type (Proxy ID) in phase 2 negotiation?

Thanks,

Yang



On Sat, Aug 3, 2013 at 9:49 AM, Yang Hsiung <yhsiung at zyxel.com> wrote:

> I'm sorry for the confusion about my original question. I'm NOT looking for
> a CIDR notation with prefix format in the ipsec.conf. I would like to know
> that does Openswan configuration parser can handle the IP range format
> as below in general:
>
>           IP_ADDRESS_START - IP_ADDRESS_END
>
> "leftsubnet=192.168.0.1-192.168.0.100" was just an example.
>
> By looking into the Openswan source, I noticed that ID_IPV4_ADDR_RANGE
> (RFC 2407 4.6.2.1) ID type is being handled. I'm wondering does Openswan
> support it? If so, what's the corresponding IP "range" format should be
> specified
> in the ipsec.conf?
>
> Thanks,
>
> Yang
>
>
>
>
>
> On Sat, Aug 3, 2013 at 5:57 AM, Binand Sethumadhavan <binand at gmx.net>wrote:
>
>> On 3 August 2013 05:13, Yang Hsiung <yhsiung at zyxel.com> wrote:
>> > leftsubnet=192.168.0.1-192.168.0.100
>> >
>> > If not, is there an alternative approach to configure the above example?
>>
>> Well, this is a bit convoluted but this set of leftsubnets:
>>
>> 192.168.0.1/32
>> 192.168.0.2/31
>> 192.168.0.4/30
>> 192.168.0.8/29
>> 192.168.0.16/28
>> 192.168.0.32/27
>> 192.168.0.64/27
>> 192.168.0.96/30
>> 192.168.0.100/32
>>
>> matches exactly 192.168.0.1-192.168.0.100.
>>
>> Binand
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130805/5995c72d/attachment.html>

More information about the Users mailing list