[Openswan dev] regarding "virtual IP must only be used with %any and without client" and overlapip/mast
Paul Wouters
paul at xelerance.com
Wed Jun 23 17:57:47 EDT 2010
Hi,
In connections.c there is code that will preventthe user of wildcards if
there is no right=%any or equivalent.
It will result in:
virtual IP must only be used with %any and without client
My question is what the reason behind this is? We are currently looking at
supporting something like:
config setup
protostack=mast
virtual_private="%v4:0.0.0.0/0,%v4:!1.2.3.0/24"
conn customer
left=1.2.3.4
right=5.6.7.8
rightsubnet=vnet:%priv
overlapip=yes
This will allow openswan to accept connections from customers with arbitrary
subnet tunnels. The Mast stack with overlapip=yes will properly mark the packets
with SArefs to distinguish these. In these cases, the right= is a a known static IP,
though a rightid=@customerXX could also be used with a right=%any.
If I disable the code check listed above, and remove one passert() that checks on
this later, the connection establishes normally. My question is, would there be any
side effects? Or was this use case just not realised when the code to require right=%any
was written?
There is a similar issue when using a right=5.6.7.8 and rightprotoport=17/%any
Paul
More information about the Dev
mailing list