[Swan-dev] connalias
Paul Wouters
paul at nohats.ca
Mon Aug 27 01:46:11 UTC 2018
On Sun, 26 Aug 2018, D. Hugh Redelmeier wrote:
> Why is connalias not documented?
I think because it is supposed to be an "internal API".
> It is tested in testing/pluto/alias-01.
There it is used explicitely. I think this is used to alias
connections for subnets=, eg
conn test
leftsubnets={10.0.2.0/24, 10.0.1.0/24}
rightsubnets={192.168.0.0/24, 192.168.100.0/24}
[...]
This will create 3 conns:
test/0x1
test/0x2
test/1x1
test/0x2
(I believe left starts at 0 and right starts at 1 for unknown reasons)
Anyway,when you do ipsec auto --down test, it will find these "aliases"
too and bring those 4 conns down.
see: ikev2-16-alias-whack-start
> If it isn't documented, does anyone use it? If not, can we delete it?
So yes, it is used and you cannot delete it. I guess possibly we _could_
delete the exported keyword and make it all internal-only, but this goes
from libipsecconf via whack to pluto and I don't remember where the
conn expansion takes place.
Paul
More information about the Swan-dev
mailing list