[Openswan dev] regarding "virtual IP must only be used with %any and without client" and overlapip/mast

Michael Richardson mcr at sandelman.ca
Thu Jun 24 09:47:30 EDT 2010

>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
    >> Well, I didn't write the virtualIP support (It was a
    >> SuperFreeSWAN 1.99 patch, I think), nor did we get test cases for
    >> it at the time, so I can only guess at what the
    >> constraints/boundary conditions of the design was.
    >> I can't think of a reason why the outer policy of who one will
    >> accept the connection from has anything to do with what tunnel is
    >> expressed inside.

    Paul> It seemed the original restriction was based on single conns,
    Paul> versus multiple instantiations of a conn. Using "%any"
    Paul> anywhere in a conn causes it to instantiate, even if you just
    Paul> meant to say "any tcp port".  (unless you use 0 but the whole
    Paul> "any 1" vs "any" is another confusing matter)

Yes, which is what I wrote about a long time ago, about marking the
wildcards which are wildcards, vs which mean populate-from-packet.

    >> I can't put that combination together in my head right now.

    Paul> You can currently specify:

I mean, I can't determine what the implications of the policy is.

]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition. 

More information about the Dev mailing list