[Openswan dev] Problems with masquerade and sourceip /32 netmask

Tuomo Soini tis at foobar.fi
Tue Jul 6 17:31:45 EDT 2010


I can say using netmask of remote network for addsource() in
_updown.netkey is totally broken idea.

Think about vpn tunnel with rightsubnet=0.0.0.0/0 - that would give
netmask of 0 for addsource. So idea is completely broken.

Could you try this patch if this makes masquerade work as expected with
/32 netmask.

I'd generally say that masquerade to vpn tunnel is braindead idea and
should not ever be done by default.

If masquerade to vpn tunnel is wanted, it should ad least be especially
donewith -m policy iptables moddule. And SNAT should be used instead of
MASQUERADE.


-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openswan-git-a7385c3907e9ab14e5d641ba98f6851d9b967631.patch
Type: text/x-patch
Size: 800 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20100707/379536ff/attachment.bin 


More information about the Dev mailing list