[Openswan dev] openswan cisco interop patches

Michael H. Warfield mhw at WittsEnd.com
Mon Jul 11 16:35:41 EDT 2011 

On Mon, 2011-07-11 at 15:55 -0400, Paul Wouters wrote: 
> On Mon, 11 Jul 2011, Avesh Agarwal wrote:
> 
> >> 
> >> However, even if it is done, it should be overwritten by the ip addresss 
> >> received from the server. But it is difficult to know if the old address in 
> >> the source ip field is from the old connection instance or due to wrong 
> >> connection definition by mistake as you said.
> >> 
> > Wanted to add that i think, if we prevent of setting leftsourceip and 
> > remote_peer_type in the same connection definition, then it should resolve 
> > this issue.

> I am still not happy that openswan could delete your eth0 main IP addresss,
> based on a remote server setting. It's a security vulnerability to allow
> that. (I know openvpn can push *any* route to the client, but I think that's
> a problem, not a feature)

> We should never delete an IP we did not add ourselves. So while doing some
> extra checks for misconfigurations might resolve some issues, I would also
> want openswan to be safe against rogue or compromised xauth cisco servers.

Given the conflicts I already see between different VPN's (IPsec, Cisco
AnyConnect, OpenVPN, and a plethora of proprietary crap) I would stand
on that and preach it from the mount.  We can not remove a route or IP
address we did not add.  Sooner or later, even if it looks good, there's
going to be some condition that will bite us in the behind.

I'm already dealing with reconciling multiple VPN's and order
dependencies and food-fights over who gets to update /etc/resolve.conf
(when I've already decide the answer is "none of the above" and set up
dnsmasq to do directed DNS lookus).  We don't need to compound that
problem further.

It's not the 80% case.  Maybe less that 5% but we still have to be sure
we restrict what we do so that it does not interfere or conflict with
others.  Yes, that ultimately may be intractable but we have to avoid
what we can.

> Paul

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20110711/5a5ece10/attachment.bin

More information about the Dev mailing list