[Openswan dev] openswan cisco interop patches

Paul Wouters paul at xelerance.com
Mon Jul 11 15:55:57 EDT 2011

On Mon, 11 Jul 2011, Avesh Agarwal wrote:

>> However, even if it is done, it should be overwritten by the ip addresss 
>> received from the server. But it is difficult to know if the old address in 
>> the source ip field is from the old connection instance or due to wrong 
>> connection definition by mistake as you said.
> Wanted to add that i think, if we prevent of setting leftsourceip and 
> remote_peer_type in the same connection definition, then it should resolve 
> this issue.

I am still not happy that openswan could delete your eth0 main IP addresss,
based on a remote server setting. It's a security vulnerability to allow
that. (I know openvpn can push *any* route to the client, but I think that's
a problem, not a feature)

We should never delete an IP we did not add ourselves. So while doing some
extra checks for misconfigurations might resolve some issues, I would also
want openswan to be safe against rogue or compromised xauth cisco servers.


More information about the Dev mailing list