On Mon, Feb 9, 2015 at 5:07 PM, David Woodhouse <dwmw2 at infradead.org> wrote: >> To be honest I haven't tried it. I knew however, that openconnect does >> use the same IP as well on the tun device for both the local and the >> P-t-P one. I'll have to check it further, but that will not be very >> soon. If there are any nice ideas to overcome that they are welcome. > That's different. OpenConnect uses its *local* IP address also as the > remote PtP address. The *local* address is the important one, and since > we set up explicit routes or the default route over the tunnel the > remote ptp address is actually fairly irrelevant?. > But ocserv is using the *remote* IP also as the local IP. Which means > the local host suddenly starts responding as if the remote IP is one of > its own local addresses... which is an entirely different thing. Correct. That still does leave the problem of what to put there. Maybe it would make sense to restrict all explicit IPs to only even values, and use the odd value as the local one. That at least would prevent major surprises. regards, Nikos
