[Openswan dev] regarding "virtual IP must only be used with %any and without client" and overlapip/mast

David McCullough david_mccullough at mcafee.com
Wed Jun 23 20:17:03 EDT 2010

Jivin Paul Wouters lays it down ...
> Hi,
> In connections.c there is code that will preventthe user of wildcards if
> there is no right=%any or equivalent.
> It will result in:
>  	virtual IP must only be used with %any and without client
> My question is what the reason behind this is? We are currently looking at
> supporting something like:
> config setup
>  	protostack=mast
>  	virtual_private="%v4:,%v4:!"
> conn customer
>  	left=
>  	right=
>  	rightsubnet=vnet:%priv
>  	overlapip=yes
> This will allow openswan to accept connections from customers with arbitrary
> subnet tunnels. The Mast stack with overlapip=yes will properly mark the packets
> with SArefs to distinguish these. In these cases, the right= is a a known static IP,
> though a rightid=@customerXX could also be used with a right=%any.
> If I disable the code check listed above, and remove one passert() that checks on
> this later, the connection establishes normally. My question is, would there be any
> side effects? Or was this use case just not realised when the code to require right=%any
> was written?
> There is a similar issue when using a right= and rightprotoport=17/%any

I don't think I have any problems with it, it sounds fair.

All the seemingly arbitary restrictions with ipsec tunnels drive me nuts and
I'd love to see some go :-)


David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org

More information about the Dev mailing list