[Openswan Users] Extruded subnets with 2.6 kernel ipsec
Herbert Xu
herbert at gondor.apana.org.au
Wed Aug 11 21:20:56 CEST 2004
Tom Hughes <thh at cyberscience.com> wrote:
>
> # Communicate with loxley in the clear
> conn loxley
> left=172.16.9.1
> right=172.16.9.4
> type=passthrough
> authby=never
> auto=route
>
> The question is, is there any better solution? Could openswan be
> modified to recognise the case where one end is a subnet of the other
> and automatically add an appropriate hole to the security policy?
Not at the moment. Although it would be possible to extend the current
Linux stack to have interface-specific policies like KLIPS did. In fact
most of the code is already there in the kernel.
> Is there at least a way of writing a connection description that
> would exempt the whole of the local network rather than having to
> do it on a host-by-host basis? I did try a few things but they
> didn't seem to work.
Certainly. Just use leftsubnet/rightsubnet as usual.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the Users
mailing list