[Swan-dev] failureshunt=drop (and netkey?)
Tuomo Soini
tis at foobar.fi
Fri Nov 25 08:25:25 UTC 2016
On Thu, 24 Nov 2016 15:18:15 -0500 (EST)
Paul Wouters <paul at nohats.ca> wrote:
>
> I'm a little confused by failureshunt=drop. It does seem to work fine
> when a connection that has established, goes bad. But it seems to not
> prevent any leaking when a connection has not been started yet, or
> when the initial load+start is failing.
>
> my test: load mismatching connections on west and east, then
> run --up on west. Let it release whack, and run a ping. The
> swan12 device shows unencrypted pings and ip xfrm pol shows
> no drop shunt. ipsec status shows failureDROP
>
> Adding negotiationshunt=drop makes no difference. I suspect
> this is only used for OE?
>
> This is causing a leak.
>
> Should we install a non-bare failureshunt when a (non-template)
> connection is added using auto=add ?
Absolutely not. Add is waiting for other end to connect.
> Should we install a non-bare negotiationshunt when a (non-template)
> connection is added using auto=add ?
Same.
> If the answer is no, repeat the questio for auto=route ?
> (which would also apply to auto=start)
Yes to both of these - but remember, that means we MUST have ike pass
in policy or we can break peer in peer subnet case.
> Note I only tested this for a net-to-net tunnel. There is an
> additional complication for tunnels that have XXXsubnet=0.0.0.0/0
And any tunnel where peer address is inside subnet.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
More information about the Swan-dev
mailing list