[Swan-dev] failureshunt=drop (and netkey?)
Paul Wouters
paul at nohats.ca
Thu Nov 24 20:18:15 UTC 2016
I'm a little confused by failureshunt=drop. It does seem to work fine
when a connection that has established, goes bad. But it seems to not
prevent any leaking when a connection has not been started yet, or
when the initial load+start is failing.
my test: load mismatching connections on west and east, then
run --up on west. Let it release whack, and run a ping. The
swan12 device shows unencrypted pings and ip xfrm pol shows
no drop shunt. ipsec status shows failureDROP
Adding negotiationshunt=drop makes no difference. I suspect
this is only used for OE?
This is causing a leak.
Should we install a non-bare failureshunt when a (non-template)
connection is added using auto=add ?
Should we install a non-bare negotiationshunt when a (non-template)
connection is added using auto=add ?
If the answer is no, repeat the questio for auto=route ?
(which would also apply to auto=start)
Note I only tested this for a net-to-net tunnel. There is an additional
complication for tunnels that have XXXsubnet=0.0.0.0/0
Paul
More information about the Swan-dev
mailing list