[strongSwan] routing all traffic through tunnel without local one

Peter Winterer winterer at informatik.uni-freiburg.de
Wed Mar 10 18:57:18 CET 2010


Hi Daniel,

Am 08.03.2010 10:02, schrieb Daniel Mentz:
> Matthias Dahl wrote:
>>> To tunnel all internet traffic, you'll need a 0.0.0.0/0 rightsubnet.
>>> This however, includes your local network in the tunnel too.
>>
>> One could consider this a bug. Most people certainly never will want their
>> local traffic routed outside of their local network. The more I think about
>> it, this could even have security implications. The default should be to have
>> the local lan by-passed unless the user explicitely states otherwise.
>
> One might also argue that the current behavior is more secure: Imagine a
> road warrior being in a hotel room, connecting her laptop to the hotel's
> LAN in order to get Internet access. She probably does not care about
> other hosts on the local subnet. She just wants to have access to the
> corporate network via IPsec.
>
> Now, imagine that the hotel's LAN uses the same IP address space as some
> resource on the corporate network. The traffic would then be sent to the
> incorrect machine on the local subnet of the hotel that happens to have
> the same IP address, instead of the machine on the corporate network.

I think you are right. However, what about dhcp traffic in the local
network? A client could not renew his ip address, because the dhcp
traffic on the local dhcp-server would also be blocked. I'm not sure, 
but I think with a linux client this would break the connection and 
therefore the ipsec-tunnel.

regards
peter




More information about the Users mailing list