[Openswan dev] Openswan 2.4.0 virtual_private problems

[Dmitriy]

I am sorry.
Really IPSEC connection is established between openswan server and EXTERNAL 
ip of NAT router.
so internal ip of nated client has no mean.
(i had no access  to openswan log when i post previos message - i was on 
test client machine...)

However if somebody will connect not to external interface of openswan 
server, openswan will create wrong route on this internal interface to 
somebody ip.

(I had test this when connecting to openswan from internal ip (internal 
network) to openswan external interface - openswan really add route to 
external interface for my ip, so my real connection to openswan server 
immidatly lost)

So currently i do not understand how virtual_private works.

----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Dmitriy" <ddmk at r66.ru>
Sent: Saturday, September 17, 2005 8:48 PM
Subject: Re: [Openswan dev] Openswan 2.4.0 virtual_private problems


> On Sat, 17 Sep 2005, Dmitriy wrote:
>
>> Sorry but i test - connection is fully workable so this is security bug.
>
> That is highly unlikely. Please verify this by checking the packets sent 
> from a different machine,
> since tcpdump does not show what is actually going out of the machine.
>
> Paul
>
>> ----- Original Message ----- From: "Paul Wouters" <paul at xelerance.com>
>> To: "Dmitriy" <ddmk at r66.ru>
>> Cc: <dev at openswan.org>
>> Sent: Saturday, September 17, 2005 5:35 AM
>> Subject: Re: [Openswan dev] Openswan 2.4.0 virtual_private problems
>>
>>
>>> On Fri, 16 Sep 2005, Dmitriy wrote:
>>>
>>>> connecting from nat with ip 192.168.50.15
>>>> connection succesfully initialized, route to external interface added.
>>>>
>>>> I think it must not appear.
>>>> (security hole becouse 192.168.50.0/24 internal private network of vpn 
>>>> server)
>>>
>>> The IPsec policies will make sure those packets will not leak out.
>>>
>>> Paul
>>
>
> -- 
>
> "Happiness is never grand"
>
>  --- Mustapha Mond, World Controller (Brave New World)