[Swan-commit] Changes to ref refs/heads/master
Paul Wouters
paul at vault.libreswan.fi
Tue Aug 21 02:36:12 UTC 2018
New commits:
commit 839b259e14e3d83860d54e7573c34a3096c04c50
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Aug 20 18:59:26 2018 -0400
pluto: can_share_lease() should also not share for ID_IP type
This is because two clients behind the same NAT have the same "thatid"
that is used to determine if a returning connection is the same client.
For authby=psk the clients often send ID_IP. There is no guarantee that
a dynamic IP isn't used for a new/different client which should not
inherit the same lease that could have open connections to remote sides.
Note that can_share_lease() already didn't share leases for PSK, so
this change should not have any effect. ID_IP is not used when using
certificates, which use either ID_FQDN or ID_DER_ASN_DN.
More information about the Swan-commit
mailing list