[Openswan dev] regarding "virtual IP must only be used with %any and without client" and overlapip/mast

Paul Wouters paul at xelerance.com
Wed Jun 23 17:57:47 EDT 2010


Hi,

In connections.c there is code that will preventthe user of wildcards if
there is no right=%any or equivalent.

It will result in:

 	virtual IP must only be used with %any and without client

My question is what the reason behind this is? We are currently looking at
supporting something like:

config setup
 	protostack=mast
 	virtual_private="%v4:0.0.0.0/0,%v4:!1.2.3.0/24"

conn customer
 	left=1.2.3.4
 	right=5.6.7.8
 	rightsubnet=vnet:%priv
 	overlapip=yes

This will allow openswan to accept connections from customers with arbitrary
subnet tunnels. The Mast stack with overlapip=yes will properly mark the packets
with SArefs to distinguish these. In these cases, the right= is a a known static IP,
though a rightid=@customerXX could also be used with a right=%any.

If I disable the code check listed above, and remove one passert() that checks on
this later, the connection establishes normally. My question is, would there be any
side effects? Or was this use case just not realised when the code to require right=%any
was written?

There is a similar issue when using a right=5.6.7.8 and rightprotoport=17/%any

Paul


More information about the Dev mailing list