[strongSwan] routing all traffic through tunnel without local one
Matthias Dahl
ml-strongswan at binary-island.eu
Thu Mar 11 16:32:02 CET 2010
Hi Daniel.
On Monday 08 March 2010 10:02:48 Daniel Mentz wrote:
> One might also argue that the current behavior is more secure [...]
>
> Now, imagine that the hotel's LAN uses the same IP address space as some
> resource on the corporate network. The traffic would then be sent to the
> incorrect machine on the local subnet of the hotel that happens to have
> the same IP address, instead of the machine on the corporate network.
You are right. I haven't thought of that. There are pros and cons to both
approaches. A middle way would be to mix both: never route the client's
subnet unless otherwise stated and at least warn the user if the local subnet
is identical to the server's subnet that is going to be routed through the
tunnel. Something like that. The former is exactly what is done at the moment,
the client subnet is not routed unless you screw up badly like I did
apparently. So everything is just fine, at least for me. ;)
So long,
matthias.
More information about the Users
mailing list