Problem with new source address selection

[Bjoern A. Zeeb]

On Wed, 3 Dec 2008, Frank Behrens wrote:

Hi,

> As I mentioned earlier I believe the main problem is IPSEC itself,
> where we don't have an interface for tunneled connections. So I made
> a workaround with a dummy loopback device. So I have a question to
> the network specialists: Is there no other solution? Am I the only
> stupid man, who wants to tunnel a subnet with private address range
> via IPSEC?

No, you aren't.

Let me try to explain a bit further why I don't think it's an IPsec
problem (at least not in first place).

Asume you'd not run IPsec but communicate with the people directly
(with valid IPs). Instead of having policies to control the traffic
you are using simple IP filters on each side. So now in your network
topology, with your setup, with the destination not being on a
directly connected network, what would source address selection pick
as outgoing IP (obviously w/o the hack with the route to the
loopback)? Would that IP match your policy and thus would the peer
permit it in its firewall?


>> When it comes to the source address selection I am tempted to answer
>> with: I am willing to still allow this in 7 to not break production
>> setups but I am inclined to not change HEAD and keep the behavior
>> dropped there. See patch below, which basically is what you had with
>> the version check and the if (ia == NULL) check to not blindly overwrite
>> if we had found anything closer (untested).
>
> Thanks, I will try this.

I am still discussing things, or rather have the question queued with
someone but we are all a bit busy atm.

Did you try the patch and did it work for you as expected? If so I'll
add it to my repo and the next jail patch.

/bz

-- 
Bjoern A. Zeeb                      The greatest risk is not taking one.