[strongSwan] routing all traffic through tunnel without local one

Matthias Dahl ml-strongswan at binary-island.eu
Thu Mar 11 16:32:02 CET 2010

Hi Daniel.

On Monday 08 March 2010 10:02:48 Daniel Mentz wrote:

> One might also argue that the current behavior is more secure [...]
> Now, imagine that the hotel's LAN uses the same IP address space as some
> resource on the corporate network. The traffic would then be sent to the
> incorrect machine on the local subnet of the hotel that happens to have
> the same IP address, instead of the machine on the corporate network.

You are right. I haven't thought of that. There are pros and cons to both 
approaches.  A middle way would be to mix both: never route the client's 
subnet unless otherwise stated and at least warn the user if the local subnet 
is identical to the server's subnet that is going to be routed through the 
tunnel. Something like that. The former is exactly what is done at the moment, 
the client subnet is not routed unless you screw up badly like I did 
apparently. So everything is just fine, at least for me. ;)

So long,

More information about the Users mailing list