[Swan-dev] failureshunt=drop (and netkey?)
Paul Wouters
paul at nohats.ca
Fri Nov 25 16:18:11 UTC 2016
On Fri, 25 Nov 2016, Tuomo Soini wrote:
>> Should we install a non-bare failureshunt when a (non-template)
>> connection is added using auto=add ?
>
> Absolutely not. Add is waiting for other end to connect.
I'm not sure I agree. What could possibly be the purpose of:
conn subnet
left=
leftsubnet=10.0.1.0/24
right=
rightsubnet=192.168.0.0/16
auto=add
Should a machine that loads this connection really leak packets from
10.0.1.0/24 to 192.168.0.0/16 ? It really seems that is not the
intention here. Can you give me a use case where this would make sense?
Possibly when the subnets are non-NAT'ed it could make sense to allow
optional encryption, but still I think that is a far fetched corner
case.
But I do agree that if auto=add would install a shunt, you would also
expect it to act on it like auto=route, which is a little confusing.
>> If the answer is no, repeat the questio for auto=route ?
>> (which would also apply to auto=start)
>
> Yes to both of these - but remember, that means we MUST have ike pass
> in policy or we can break peer in peer subnet case.
>
>> Note I only tested this for a net-to-net tunnel. There is an
>> additional complication for tunnels that have XXXsubnet=0.0.0.0/0
>
> And any tunnel where peer address is inside subnet.
hmm, that would cause odd things too. Like you have auto=add but the
admin ran --up, and if the remote end would do a --down, would you
really want to leak packets?
You haven't convinced me yet your answers are correct :)
Paul
More information about the Swan-dev
mailing list