[Swan-dev] failureshunt=drop (and netkey?)

Tuomo Soini tis at foobar.fi
Fri Nov 25 08:25:25 UTC 2016


On Thu, 24 Nov 2016 15:18:15 -0500 (EST)
Paul Wouters <paul at nohats.ca> wrote:

> 
> I'm a little confused by failureshunt=drop. It does seem to work fine
> when a connection that has established, goes bad. But it seems to not
> prevent any leaking when a connection has not been started yet, or
> when the initial load+start is failing.
> 
> my test: load mismatching connections on west and east, then
> run --up on west. Let it release whack, and run a ping. The
> swan12 device shows unencrypted pings and ip xfrm pol shows
> no drop shunt. ipsec status shows failureDROP
> 
> Adding negotiationshunt=drop makes no difference. I suspect
> this is only used for OE?
> 
> This is causing a leak.
> 
> Should we install a non-bare failureshunt when a (non-template)
> connection is added using auto=add ?

Absolutely not. Add is waiting for other end to connect.

> Should we install a non-bare negotiationshunt when a (non-template)
> connection is added using auto=add ?

Same.

> If the answer is no, repeat the questio for auto=route ?
> (which would also apply to auto=start)

Yes to both of these - but remember, that means we MUST have ike pass
in policy or we can break peer in peer subnet case.
 
> Note I only tested this for a net-to-net tunnel. There is an
> additional complication for tunnels that have XXXsubnet=0.0.0.0/0

And any tunnel where peer address is inside subnet.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>


More information about the Swan-dev mailing list