[PATCH -ocserv 4/5] Use distinct remote and local IPs when explicit_ipv[46] is specified
Nikos Mavrogiannopoulos
nmav at gnutls.org
Mon Feb 9 08:25:55 PST 2015
On Mon, Feb 9, 2015 at 5:07 PM, David Woodhouse <dwmw2 at infradead.org> wrote:
>> To be honest I haven't tried it. I knew however, that openconnect does
>> use the same IP as well on the tun device for both the local and the
>> P-t-P one. I'll have to check it further, but that will not be very
>> soon. If there are any nice ideas to overcome that they are welcome.
> That's different. OpenConnect uses its *local* IP address also as the
> remote PtP address. The *local* address is the important one, and since
> we set up explicit routes or the default route over the tunnel the
> remote ptp address is actually fairly irrelevant¹.
> But ocserv is using the *remote* IP also as the local IP. Which means
> the local host suddenly starts responding as if the remote IP is one of
> its own local addresses... which is an entirely different thing.
Correct. That still does leave the problem of what to put there. Maybe
it would make sense to restrict all explicit IPs to only even values,
and use the odd value as the local one. That at least would prevent
major surprises.
regards,
Nikos
More information about the openconnect-devel
mailing list