[strongSwan] routing all traffic through tunnel without local one
Daniel Mentz
danielml+mailinglists.strongswan at sent.com
Mon Mar 8 10:02:48 CET 2010
Matthias Dahl wrote:
>> To tunnel all internet traffic, you'll need a 0.0.0.0/0 rightsubnet.
>> This however, includes your local network in the tunnel too.
>
> One could consider this a bug. Most people certainly never will want their
> local traffic routed outside of their local network. The more I think about
> it, this could even have security implications. The default should be to have
> the local lan by-passed unless the user explicitely states otherwise.
One might also argue that the current behavior is more secure: Imagine a
road warrior being in a hotel room, connecting her laptop to the hotel's
LAN in order to get Internet access. She probably does not care about
other hosts on the local subnet. She just wants to have access to the
corporate network via IPsec.
Now, imagine that the hotel's LAN uses the same IP address space as some
resource on the corporate network. The traffic would then be sent to the
incorrect machine on the local subnet of the hotel that happens to have
the same IP address, instead of the machine on the corporate network.
-Daniel
More information about the Users
mailing list