[Swan-dev] Opportunistic IPSec with wide clear policy issue
Paul Wouters
paul at nohats.ca
Wed Nov 21 13:19:57 UTC 2018
On Wed, 21 Nov 2018, Kirill Logachev wrote:
> Thanks for fixing the docs!
> Yes, not specifying 0/0 in clear fixes the problem.
Good!
> Priorities for the OE still seems a little confusing, probably some documentation around it would be
> helpful.
The idea is that no one should need to use manual priorties, and that
priorities are based on "longest prefix first". However, this cannot
cover all possibly scenarios so priority can be used for the exceptional
cases where our guess on longest prefix first is wrong. I think this
really onlt comes into play when you include protoport selectors. For
example, one might to add 0.0.0.0:tcp:22 to "clear" to avoid double
encryption. It would have to be prioritized over say 1.2.3.4/32 in
"private" which has a longer prefix.
In general, we advise people not to play tricks with protoports.
> Please let me know if I can help with it.
Anyone who wants to help with documentation is welcome. We are a wiki
but we limited user registration because of spam. Anyone who wants to
help can just request a wiki user. And we welcome all help with
documentation.
Paul
More information about the Swan-dev
mailing list