[Swan] SonicWALL "Route Based VPN"
Paul Wouters
paul at nohats.ca
Fri Dec 12 18:04:58 EET 2014
On Fri, 12 Dec 2014, Warren Howard wrote:
> I'm playing around with a Dell SonicWALL (TZ 210 wireless-N). It has an option for a type of VPN called a "Route
> Based VPN", which I'm interested in configuring to work with my VPN server that uses Libreswan 3.12.
>
> The Dell SonicWALL makes the following proposal:
>
> "the peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0"
>
> My question is, what does a proposal like this mean to Libreswan?
Basically, a "routed VPN" (as opposed to a "policy VPN") has a security
policy that allows "everything from/to anywhere" which is the above
quoted policy. Then "routing" is used on both ends to only send those
packets that are desired through the VPN. This clearly downgrades the
VPN security, but it makes administration much easier.
The way to support this in libreswan is with using the kernel Virtual
Tunnel Interface code in the updown script. We have not done so yet.
While supporting this won't be too hard, we do have to be careful in
the updown scripts because we (already) need to do some special handling
with 0.0.0.0/0 cases.
Documentation is a little sparse, but see:
https://gitorious.org/kernel-linux/linux-stable/commit/a77db44038f976c2734fb3d2b1ed0cb9c3afde75
Any vti support can be added to programs/_updown.netkey/ although
perhaps it would later on get folded into programs/pluto/kernel_netlink.c
directly.
Paul
More information about the Swan
mailing list