[Swan-dev] overlapping address pools

D. Hugh Redelmeier hugh at mimosa.com
Mon Apr 21 02:43:50 EEST 2014

| From: Antony Antony <antony at phenome.org>

| It would be nice to have an options to assign unique address. When there 
| is an overlap, the new pool mark the unused overlapping addresses in the 
| old pool as used. If an address already in use in an old pool mark it 
| used in the new pool.

That's the kind of logic that I tried to portray as theoretically
useful but probably used rarely enough that it isn't worth the
considerable effort of coding, testing, and documenting.  What's the

I also am suspicious of anything that isn't symmetric when the problem
seems more-or-less symmetric.  And you've got to make sure that the
solution is transitive (i.e. what happens when a third inexactly
overlapping pool comes along, and a fourth, ... all with complicated

| In libreswan, as far I know, there is no overlap check for a subnet. An 
| address pool is very similar to a subnet, imagine it as a /32 subnet. 
| You could even replace it with a subnet. If subnet overlaps with another 
| subnet there is no warning. Then I am wondering why treat an addresspool 
| overlap as an error?

When two subnets overlap, one contains the other (they can be the
same, in which case they contain each other).  That's simpler than
IP-address ranges that are used for addresspools.  Especially when
considering more than two.

Libreswan assigns from the addresspool.  Subnet assignment isn't our

In the old days, FreeS/WAN installed eroutes and routes, and the rules
of routing dictated what would happen.  Something well-defined: the
smaller subnet wins.  I think that FreeS/WAN generated an error if the
subnets were identical but the routing was different.  I don't know
what happens now.

More information about the Swan-dev mailing list