[Swan] Before considering how Libreswan can be better coded

Tuomo Soini tis at foobar.fi
Fri May 24 23:21:37 EEST 2013


On Fri, 24 May 2013 19:25:38 +0200
Philippe Vouters <philippe.vouters at laposte.net> wrote:

> Dear Paul and Hugh,
> 
> Before anyone gives his point of view on how to better code
> Libreswan, I'd like you to focus onto this Libreswan regression I
> describe at
> http://vouters.dyndns.org/tima/Linux-Libreswan-Setting_up_an_Intranet_VPN_with_Windows_7.html
> Libreswan is loosing credits in favor of Shrew VPN client.

rightsubnet=vhost:%priv,%no

has been broken for virtual_private exclusion since 2005 - last time it
worked was openswan-2.4.x.

correct solution for now is:

conn rw-natted
	rightsubnet=vhost:%priv
	also=rw

conn rw
	# do not fill rightsubnet in here at all


That' simplest way to work around the issue for many years - it's broken
that way since 2005.

while rightsubnet=vhost:%no should work for everybody without nat
that's not true - virtual_private is still consulted and disallowed
subnets there are disallowed for %no case which shouldn't happen. Yes
we know this but because this is very easy to work around and there is
lots of more important things to fix this is still unfixed.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>


More information about the Swan mailing list