[strongSwan] routing all traffic through tunnel without local one
Daniel Mentz
danielml+mailinglists.strongswan at sent.com
Thu Mar 11 13:04:30 CET 2010
Peter Winterer wrote:
> Hi Daniel,
>
> Am 08.03.2010 10:02, schrieb Daniel Mentz:
>> Matthias Dahl wrote:
>>>> To tunnel all internet traffic, you'll need a 0.0.0.0/0 rightsubnet.
>>>> This however, includes your local network in the tunnel too.
>>>
>>> One could consider this a bug. Most people certainly never will want
>>> their
>>> local traffic routed outside of their local network. The more I think
>>> about
>>> it, this could even have security implications. The default should be
>>> to have
>>> the local lan by-passed unless the user explicitely states otherwise.
>>
>> One might also argue that the current behavior is more secure: Imagine a
>> road warrior being in a hotel room, connecting her laptop to the hotel's
>> LAN in order to get Internet access. She probably does not care about
>> other hosts on the local subnet. She just wants to have access to the
>> corporate network via IPsec.
>>
>> Now, imagine that the hotel's LAN uses the same IP address space as some
>> resource on the corporate network. The traffic would then be sent to the
>> incorrect machine on the local subnet of the hotel that happens to have
>> the same IP address, instead of the machine on the corporate network.
>
> I think you are right. However, what about dhcp traffic in the local
> network? A client could not renew his ip address, because the dhcp
> traffic on the local dhcp-server would also be blocked. I'm not sure,
> but I think with a linux client this would break the connection and
> therefore the ipsec-tunnel.
Hi Peter,
that is indeed an interesting question. I guess one of the following is
true:
1. DHCP fails as you suspect.
2. The dhcp-client uses raw sockets to send/receive IP packets. Maybe
ipsec policies do not apply to IP packets sent via raw sockets.
3. The dhcp-client sets a "per socket policy" of type
IPSEC_POLICY_BYPASS. As a consequence, IP packets which are sent or
received on that socket are not subject to IPsec processing. If you can
read German, take a look at http://mirror.roe.ch/doc/hsr/sa-natt.pdf and
search for "Per socket policy". This document has some good information
about this socket option.
-Daniel
More information about the Users
mailing list