[Swan] [libreswan] conn type=passthrough (#5) (fwd)
Paul Wouters
pwouters at redhat.com
Mon Mar 18 19:31:00 EET 2013
I guess we should really allow the priority to be configurable,
or at least give type=passthrough a higher priority.
Paul
---------- Forwarded message ----------
Date: Mon, 18 Mar 2013 12:21:19
From: PepeN <notifications at github.com>
To: libreswan/libreswan <libreswan at noreply.github.com>
Subject: [libreswan] conn type=passthrough (#5)
X-Spam-Flag: NO
Hi
test config:
conn passclear
type=passthrough
authby=never
left=10.1.1.3
leftnexthop=10.1.1.1
leftsubnet=10.1.0.0/16
right=10.2.1.2
rightsubnet=10.1.0.0/16
auto=route
conn ipsec-for-all
type=tunnel
authby=rsasig
auth=esp
leftrsasigkey=%cert
pfs=yes
rekey=yes
left=10.1.1.3
leftcert=test.cert
leftnexthop=10.1.1.1
right=10.2.1.2
rightsubnet=10.0.0.0/8
rightrsasigkey=%cert
auto=start
In libreSwan 3.1 (OpenSwan 2.6.x) are following policies(ip xfrm policy):
src 10.1.1.3/32 dst 10.0.0.0/8 dir out priority 2104 tmpl src 10.1.1.3 dst 10.2.1.2 proto esp reqid 16389 mode tunnel
src 10.0.0.0/8 dst 10.1.1.3/32 dir fwd priority 2104 tmpl src 10.2.1.2 dst 10.1.1.3 proto esp reqid 16389 mode tunnel
src 10.0.0.0/8 dst 10.1.1.3/32 dir in priority 2104 tmpl src 10.2.1.2 dst 10.1.1.3 proto esp reqid 16389 mode tunnel
src 10.1.0.0/16 dst 10.1.0.0/16 dir fwd priority 2608
src 10.1.0.0/16 dst 10.1.0.0/16 dir in priority 2608
src 10.1.0.0/16 dst 10.1.0.0/16 dir out priority 2608
And on OpenSwan 2.4.x are following policies(ip xfrm policy):
src 10.1.1.3/32 dst 10.0.0.0/8 dir out priority 2104 tmpl src 10.1.1.3 dst 10.2.1.2 proto esp reqid 16389 mode tunnel
src 10.0.0.0/8 dst 10.1.1.3/32 dir fwd priority 2104 tmpl src 10.2.1.2 dst 10.1.1.3 proto esp reqid 16389 mode tunnel
src 10.0.0.0/8 dst 10.1.1.3/32 dir in priority 2104 tmpl src 10.2.1.2 dst 10.1.1.3 proto esp reqid 16389 mode tunnel
src 10.1.0.0/16 dst 10.1.1.3/32 dir fwd priority 1096
src 10.1.0.0/16 dst 10.1.1.3/32 dir in priority 1096
src 10.1.1.3/32 dst 10.1.0.0/16 dir out priority 1096
Apparently the problem in the priorities.
This is a bug in openswan #1131
—
Reply to this email directly or view it on GitHub.[yhVe3cHwhsFaqLyPr7mD8RP62tiIMu2hMrzaVhbCUcoaTtE0URgS1gUNRnLKNzvb.gif]
More information about the Swan
mailing list