[Swan] leftsubnet(s) query and possible ipsec auto --replace bug
Nick Howitt
nick at howitts.co.uk
Sun Jan 28 09:26:57 UTC 2018
Hi Paul,
I've been playing around with leftsubnet and leftsubnets to see if
either leftsubnet can be used for multiple subnets (it can't) or if
leftsubnets can be used for a single subnet (it can with or without the
braces). Is there any disadvantage of using leftsubnets for a single
subnet apart form it appending an instantiation marker to the conn name?
While doing this checking I was using the "ipsec auto --replace" command
and I think I have a problem. If you have leftsubnets={subnetA subnetB},
xfrm policies are put in place for both subnets. If you change your file
and remove subnetB from leftsubnets and do an "ipsec auto --replace" it
leaves the xfrm policy for subnetB in place rather than remove it. Is
this the expected behaviour? It is like it reads the updated file and
uses this to change the conn but it only changes the bits it sees from
the file and not the bit that was removed.
Regards,
Nick
More information about the Swan
mailing list