[Swan] leftsubnet(s) query and possible ipsec auto --replace bug
Paul Wouters
paul at nohats.ca
Sun Jan 28 16:18:38 UTC 2018
On Sun, 28 Jan 2018, Nick Howitt wrote:
> I've been playing around with leftsubnet and leftsubnets to see if either
> leftsubnet can be used for multiple subnets (it can't) or if leftsubnets can
> be used for a single subnet (it can with or without the braces). Is there any
> disadvantage of using leftsubnets for a single subnet apart form it appending
> an instantiation marker to the conn name?
In theory, it should make no difference. In practise it does because of
the instantiation. It is best to avoid instantiation if you do not need
it.
> While doing this checking I was using the "ipsec auto --replace" command and
> I think I have a problem. If you have leftsubnets={subnetA subnetB}, xfrm
> policies are put in place for both subnets. If you change your file and
> remove subnetB from leftsubnets and do an "ipsec auto --replace" it leaves
> the xfrm policy for subnetB in place rather than remove it. Is this the
> expected behaviour? It is like it reads the updated file and uses this to
> change the conn but it only changes the bits it sees from the file and not
> the bit that was removed.
That is a bug. It should replace all instantiations of the connection.
Paul
More information about the Swan
mailing list