[Swan] Before considering how Libreswan can be better coded
Philippe Vouters
philippe.vouters at laposte.net
Sat May 25 03:49:56 EEST 2013
Dear Tuomo,
The problem is not since Openswan 2.4. It is more recent. I tested and
document on my Web site that the configuration does work under Libreswan
3.0 and is broken in Libreswan 3.1 and 3.2. I did not test 3.3 but I do
not expect it to better work. If you do trust me which I accept from
anyone, please do perform the exact same test yourself in the closest
analog conditions. You can download various Libreswan RPMs from
Libreswan Web site.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
On 05/24/2013 10:21 PM, Tuomo Soini wrote:
> On Fri, 24 May 2013 19:25:38 +0200
> Philippe Vouters <philippe.vouters at laposte.net> wrote:
>
>> Dear Paul and Hugh,
>>
>> Before anyone gives his point of view on how to better code
>> Libreswan, I'd like you to focus onto this Libreswan regression I
>> describe at
>> http://vouters.dyndns.org/tima/Linux-Libreswan-Setting_up_an_Intranet_VPN_with_Windows_7.html
>> Libreswan is loosing credits in favor of Shrew VPN client.
> rightsubnet=vhost:%priv,%no
>
> has been broken for virtual_private exclusion since 2005 - last time it
> worked was openswan-2.4.x.
>
> correct solution for now is:
>
> conn rw-natted
> rightsubnet=vhost:%priv
> also=rw
>
> conn rw
> # do not fill rightsubnet in here at all
>
>
> That' simplest way to work around the issue for many years - it's broken
> that way since 2005.
>
> while rightsubnet=vhost:%no should work for everybody without nat
> that's not true - virtual_private is still consulted and disallowed
> subnets there are disallowed for %no case which shouldn't happen. Yes
> we know this but because this is very easy to work around and there is
> lots of more important things to fix this is still unfixed.
>
More information about the Swan
mailing list