[strongSwan] [strongSwan-dev] PASS and DROP shunt policies (was: ANNOUNCE: strongswan-4.5.3rc1 released)
daniel at exxm.de
Fri Jul 22 17:56:58 CEST 2011
Dear strongSwan team,
thanks for the great work. I have some comments regarding the following
On 07/19/2011 01:00 AM, Andreas Steffen wrote:
> PASS and DROP shunt policies configurable by charon
> The IKEv2 charon daemon supports type=pass and type=drop shunt
> policies preventing specific traffic to go through IPsec connections.
> Installation of the shunt policies are possible either via the XFRM
> netfilter or PFKEYv2 IPsec kernel interfaces as the following two
> scenarios show:
I'm looking at the IKEv2 example. It talks about a host called venus,
but I can't find it in the picture. I believe that adding it to the
picture would help avoid confusion.
You say that "install_routes=no" has to be added to strongswan.conf.
This raises some concerns. Doesn't this break other connections that
depend on install_routes being set to "yes"? Why not change strongSwan
in a way such that "install_routes=no" is applied to "type=pass"
connections automatically? I believe that this would be an improvement
I'm curious what would happen if you do not set install_routes to no.
What do the routes look like and why are they causing failure.
Again, from a user perspective, I see "authby=never" as part of the
"local-net" connection which is of "type=pass". On the same note, "conn
venus-icmp" has the parameters "leftauth=any" and "rightauth=any".
Wouldn't it be nice to get rid of these parameters in this scenario? I'm
thinking that authby, leftauth and rightauth are not applicable if the
connection is of "type=drop" or "type=pass". If it's an internal thing,
maybe starter or charon can add this automatically.
More information about the Users