[Openswan Users] Extruded subnets with 2.6 kernel ipsec

Herbert Xu herbert at gondor.apana.org.au
Wed Aug 11 21:20:56 CEST 2004


Tom Hughes <thh at cyberscience.com> wrote:
> 
>  # Communicate with loxley in the clear
>  conn loxley
>          left=172.16.9.1
>          right=172.16.9.4
>          type=passthrough
>          authby=never
>          auto=route
> 
> The question is, is there any better solution? Could openswan be
> modified to recognise the case where one end is a subnet of the other
> and automatically add an appropriate hole to the security policy?

Not at the moment.  Although it would be possible to extend the current
Linux stack to have interface-specific policies like KLIPS did.  In fact
most of the code is already there in the kernel.

> Is there at least a way of writing a connection description that
> would exempt the whole of the local network rather than having to
> do it on a host-by-host basis? I did try a few things but they
> didn't seem to work.

Certainly.  Just use leftsubnet/rightsubnet as usual.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt


More information about the Users mailing list