diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2016-05-02 14:21:30 +0200 |
|---|---|---|
| committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2016-05-06 20:27:18 +0200 |
| commit | 979f465113ece90c218fe4dfdbf0db9fb2c395a0 (patch) | |
| tree | 4fa2fbea87fb81f960abf512b8960e28a5c6e373 /src/libcharon/plugins/vici/python | |
| parent | fee991c2597abbb6de75fb4a256f4fd8fe5b5f1b (diff) | |
| download | strongswan-979f465113ece90c218fe4dfdbf0db9fb2c395a0.tar.bz2 strongswan-979f465113ece90c218fe4dfdbf0db9fb2c395a0.tar.xz | |
child-sa: Install "outbound" FWD policy with lower priority
This provides a fix if symmetrically overlapping policies are
installed as e.g. the case in the ikev2/ip-two-pools-db scenario:
carol 10.3.0.1/32 ----- 10.3.0.0/16, 10.4.0.0/16 moon
alice 10.4.0.1/32 ----- 10.3.0.0/16, 10.4.0.0/16 moon
Among others, the following FWD policies are installed on moon:
src 10.3.0.1/32 dst 10.4.0.0/16
...
tmpl ...
src 10.4.0.0/16 dst 10.3.0.1/32
...
src 10.4.0.1/32 dst 10.3.0.0/16
...
tmpl ...
src 10.3.0.0/16 dst 10.4.0.1/32
...
Because the network prefixes are the same for all of these they all have the
same priority. Due to that it depends on the install order which policy gets
used. For instance, a packet from 10.3.0.1 to 10.4.0.1 will match the
first as well as the last policy. However, when handling the inbound
packet we have to use the first one as the packet will otherwise be
dropped due to a template mismatch. And we can't install templates with
the "outbound" FWD policies as that would prevent using different
IPsec modes or e.g. IPComp on only one of multiple SAs.
Instead we install the "outbound" FWD policies with a lower priority
than the "inbound" FWD policies so the latter are preferred. But we use
a higher priority than default drop policies would use (in case they'd
be defined with the same subnets).
Diffstat (limited to 'src/libcharon/plugins/vici/python')
0 files changed, 0 insertions, 0 deletions