On Thu, 24 Nov 2016 15:18:15 -0500 (EST) Paul Wouters <[email protected]> wrote:
> > I'm a little confused by failureshunt=drop. It does seem to work fine > when a connection that has established, goes bad. But it seems to not > prevent any leaking when a connection has not been started yet, or > when the initial load+start is failing. > > my test: load mismatching connections on west and east, then > run --up on west. Let it release whack, and run a ping. The > swan12 device shows unencrypted pings and ip xfrm pol shows > no drop shunt. ipsec status shows failureDROP > > Adding negotiationshunt=drop makes no difference. I suspect > this is only used for OE? > > This is causing a leak. > > Should we install a non-bare failureshunt when a (non-template) > connection is added using auto=add ? Absolutely not. Add is waiting for other end to connect. > Should we install a non-bare negotiationshunt when a (non-template) > connection is added using auto=add ? Same. > If the answer is no, repeat the questio for auto=route ? > (which would also apply to auto=start) Yes to both of these - but remember, that means we MUST have ike pass in policy or we can break peer in peer subnet case. > Note I only tested this for a net-to-net tunnel. There is an > additional complication for tunnels that have XXXsubnet=0.0.0.0/0 And any tunnel where peer address is inside subnet. -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
