[Swan-dev] check_connection_end() seems neutered
Paul Wouters
paul at nohats.ca
Tue Jul 29 20:37:13 EEST 2014
On Tue, 29 Jul 2014, D. Hugh Redelmeier wrote:
> There are substantive tests that have been wrapped in #if 0. Why?
>
> ce2cea89 (Michael Richardson 2006-07-28 15:26:49 -0400 1025)
>
> Maybe RW with PSK and RSA can both be OK.
I think this first #if 0 can be permanently removed. There are cases
where we might pick the wrong Main Mode IKEv1 client when PSKs are
different, but the known solution for that is Aggressive Mode or IKEv2.
Rejecting any mix of psk/rsa connections seems wrong, so I agree the
commented out code is wrong.
> ec977000 (Paul Wouters 2010-06-25 15:25:06 -0400 1042)
>
> "Allow rightsubnet=vnet:%priv or rightprotoport=17/%any without
> right=%any"
>
> #if 0 should not be considered permanent.
This is also a valid use case, eg:
conn rfc1918
left=1.2.3.4
right=5.6.7.8
leftsubnet=0.0.0.0/0
rightsubnet=vnet:%priv
With virtual_private= in "config setup" set to RFC1918 space, this
connection will allow the remote to connect one or more of their
subnets to this connection. For instance, this connection can
instantiate in two conns, 0.0.0.0/0 <=> 10.0.0.0/8 and 0.0.0.0/0 <=>
192.168.0.0/16
This is used by some swan cloud deployments (eg content filters) usually
in combination with overlapip=yes to allow multiple customers to have
similar rfc1918 spaces (supported by custom iptables or kernel modules
to track flows using ip_conntrack and send them back to the right IPsec
SA)
> If the code should be removed (I'm not convinced), the surrounding code
> can be simplified.
So I'm fine with removing the two #if 0 chunks.
Paul
More information about the Swan-dev
mailing list