[Openswan dev] feedback desired: Forcing CK_PERMANENT to CK_TEMPLATE - new option?
Paul Wouters
paul at xelerance.com
Tue Aug 10 17:34:10 EDT 2010
I have the following conn on the server:
conn foo
left=1.2.3.4
right=5.6.7.8
authby=secret
[...]
rightsubnet=192.168.40.0/24
This conn (without any rightid=/leftid=) works, but the client has to
tell the server that they use 192.168.40.0/24, so the server can hardcode
this. So instead, we recently ensured you can instead use:
rightsubnet=vnet:%priv
which basically means "any subnet" listed in virtual_private. This works
fine. And with the MAST/SAref code can even cover overlapping client
subnets.
Now we want the client to start 2 subnets to the server. Now only the
first one succeeds. On the second one, the connection is skipped (I guess
because it is already up) and it is not a CK_TEMPLATE (but CK_PERMANENT)
A quick hack confirmed this. If i use right=%any, both of the connections
come up with using the vnet syntax. Of course, with multiple incoming
connections from different "right" identities, that only auth with PSK
based on their IP, we cannot specify right=%any, but need to use their IP.
I am contemplating adding an option that tells pluto this conn should be
treated as a CK_TEMPLATE, eg instantiate=yes, which would just be changing
the policy inside from CK_PERMANENT to CK_TEMPLATE.
Does anyone see a problem with this? Or a more elegant solution?
Paul
More information about the Dev
mailing list