[Openswan dev] regarding "virtual IP must only be used with %any and without client" and overlapip/mast

[David McCullough]

Jivin Paul Wouters lays it down ...
> 
> Hi,
> 
> In connections.c there is code that will preventthe user of wildcards if
> there is no right=%any or equivalent.
> 
> It will result in:
> 
>  	virtual IP must only be used with %any and without client
> 
> My question is what the reason behind this is? We are currently looking at
> supporting something like:
> 
> config setup
>  	protostack=mast
>  	virtual_private="%v4:0.0.0.0/0,%v4:!1.2.3.0/24"
> 
> conn customer
>  	left=1.2.3.4
>  	right=5.6.7.8
>  	rightsubnet=vnet:%priv
>  	overlapip=yes
> 
> This will allow openswan to accept connections from customers with arbitrary
> subnet tunnels. The Mast stack with overlapip=yes will properly mark the packets
> with SArefs to distinguish these. In these cases, the right= is a a known static IP,
> though a rightid=@customerXX could also be used with a right=%any.
> 
> If I disable the code check listed above, and remove one passert() that checks on
> this later, the connection establishes normally. My question is, would there be any
> side effects? Or was this use case just not realised when the code to require right=%any
> was written?
> 
> There is a similar issue when using a right=5.6.7.8 and rightprotoport=17/%any

I don't think I have any problems with it, it sounds fair.

All the seemingly arbitary restrictions with ipsec tunnels drive me nuts and
I'd love to see some go :-)

Cheers,
Davidm

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org