On Fri, 25 Nov 2016, Tuomo Soini wrote:
Should we install a non-bare failureshunt when a (non-template)
connection is added using auto=add ?
Absolutely not. Add is waiting for other end to connect.
I'm not sure I agree. What could possibly be the purpose of:
conn subnet
left=
leftsubnet=10.0.1.0/24
right=
rightsubnet=192.168.0.0/16
auto=add
Should a machine that loads this connection really leak packets from
10.0.1.0/24 to 192.168.0.0/16 ? It really seems that is not the
intention here. Can you give me a use case where this would make sense?
Possibly when the subnets are non-NAT'ed it could make sense to allow
optional encryption, but still I think that is a far fetched corner
case.
But I do agree that if auto=add would install a shunt, you would also
expect it to act on it like auto=route, which is a little confusing.
If the answer is no, repeat the questio for auto=route ?
(which would also apply to auto=start)
Yes to both of these - but remember, that means we MUST have ike pass
in policy or we can break peer in peer subnet case.
Note I only tested this for a net-to-net tunnel. There is an
additional complication for tunnels that have XXXsubnet=0.0.0.0/0
And any tunnel where peer address is inside subnet.
hmm, that would cause odd things too. Like you have auto=add but the
admin ran --up, and if the remote end would do a --down, would you
really want to leak packets?
You haven't convinced me yet your answers are correct :)
Paul
_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
