[Openswan dev] regarding "virtual IP must only be used with %any and without client" and overlapip/mast
Michael Richardson
mcr at sandelman.ca
Thu Jun 24 09:47:30 EDT 2010
>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
>> Well, I didn't write the virtualIP support (It was a
>> SuperFreeSWAN 1.99 patch, I think), nor did we get test cases for
>> it at the time, so I can only guess at what the
>> constraints/boundary conditions of the design was.
>>
>> I can't think of a reason why the outer policy of who one will
>> accept the connection from has anything to do with what tunnel is
>> expressed inside.
Paul> It seemed the original restriction was based on single conns,
Paul> versus multiple instantiations of a conn. Using "%any"
Paul> anywhere in a conn causes it to instantiate, even if you just
Paul> meant to say "any tcp port". (unless you use 0 but the whole
Paul> "any 1" vs "any" is another confusing matter)
Yes, which is what I wrote about a long time ago, about marking the
wildcards which are wildcards, vs which mean populate-from-packet.
>> I can't put that combination together in my head right now.
Paul> You can currently specify:
I mean, I can't determine what the implications of the policy is.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
More information about the Dev
mailing list