[Openswan dev] openswan cisco interop patches
Paul Wouters
paul at xelerance.com
Mon Jul 11 15:55:57 EDT 2011
On Mon, 11 Jul 2011, Avesh Agarwal wrote:
>>
>> However, even if it is done, it should be overwritten by the ip addresss
>> received from the server. But it is difficult to know if the old address in
>> the source ip field is from the old connection instance or due to wrong
>> connection definition by mistake as you said.
>>
> Wanted to add that i think, if we prevent of setting leftsourceip and
> remote_peer_type in the same connection definition, then it should resolve
> this issue.
I am still not happy that openswan could delete your eth0 main IP addresss,
based on a remote server setting. It's a security vulnerability to allow
that. (I know openvpn can push *any* route to the client, but I think that's
a problem, not a feature)
We should never delete an IP we did not add ourselves. So while doing some
extra checks for misconfigurations might resolve some issues, I would also
want openswan to be safe against rogue or compromised xauth cisco servers.
Paul
More information about the Dev
mailing list