Re: [strongSwan] Charon doesn't set the routes

2011-10-05 Thread Diego Woitasen 
On Mon, Oct 3, 2011 at 6:10 AM, Tobias Brunner tob...@strongswan.org wrote:
 Hi Diego,








 I forgot to clarify that route is inserted if compress=no. In
 kernel_netlink_ipsec.c add_policy methed, the code checks if mode !=
 MODE_TRANSPORT to insert to route.

 Yes, if IPComp is enabled the actual IPsec SA uses transport mode in the 
 kernel as the inner IPComp SA does the tunneling.  Up to 4.4.1 charon did 
 this slightly wrong because the mode is changed while installing the policy 
 and later when installing the route and checking the mode it's not the 
 original mode that is compared.  Please update to at least 4.5.0 to fix this.

 Regards,
 Tobias



Yes, you are right. The bug was fixed in Openswan 4.5.2 from Debian backports.

Thanks!

-- 
Diego Woitasen

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Charon doesn't set the routes

2011-10-03 Thread Martin Willi 
Hi,

 In kernel_netlink_ipsec.c add_policy methed, the code checks if mode !=
 MODE_TRANSPORT to insert to route.

Yes. Why do you need an additional route in transport mode? There are
usually no new addresses or routes involved, transport mode just
protects the traffic between two hosts that already have a route.

Regards
Martin


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Charon doesn't set the routes

2011-10-03 Thread Tobias Brunner 
Hi Diego,

 
 
 
 
 
 
 
 I forgot to clarify that route is inserted if compress=no. In
 kernel_netlink_ipsec.c add_policy methed, the code checks if mode !=
 MODE_TRANSPORT to insert to route.

Yes, if IPComp is enabled the actual IPsec SA uses transport mode in the kernel 
as the inner IPComp SA does the tunneling.  Up to 4.4.1 charon did this 
slightly wrong because the mode is changed while installing the policy and 
later when installing the route and checking the mode it's not the original 
mode that is compared.  Please update to at least 4.5.0 to fix this.

Regards,
Tobias


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Charon doesn't set the routes

2011-09-30 Thread Diego Woitasen 
On Fri, Sep 30, 2011 at 8:12 AM, Diego Woitasen di...@woitasen.com.ar wrote:
 Hi,
  I have the configure below. I don't know why Charon doesn't set the
 routes after SA establishment. It's a net-to-net tunnel and works
 perfectly for hosts behind the gateway but if I want to connect from
 one of the gateways to a host behind the peer I have to configure the
 route with src manually. In the IRC someone told me that Charon set
 the src in the route if it detects that one of the
 [left|right]subnet matches the IP if one of the interfaces.

 ipsec.conf:
 config setup
        crlcheckinterval=30
        cachecrls=yes
        strictcrlpolicy=no
        plutostart=no
        hidetos=no
        charondebug=knl 1

 conn %default
        ikelifetime=8h
        lifetime=8h
        rekeymargin=10m
        keyingtries=3
        keyexchange=ikev2
        mobike=yes
        dpddelay=5
        dpdaction=clear
        authby=rsasig
        auto=add
        ike=aes128-sha1-modp2048!
        esp=aes128-sha1-modp2048!
        leftsubnet=10.0.0.0/8
        right=%defaultroute
        rightid=@nodo668.foo.com
        rightcert=nodo668-cert.pem
        rightsubnet=10.12.160.0/24
        compress=yes

 conn LabMPLS-drago
        left=172.16.1.129
        leftid=@concentrador-drago.foo.com

 conn Lab2MPLS-vera
        left=172.19.1.130
        leftid=@concentrador-vera.foo.com
        right=172.19.1.1
        rightsubnet=10.22.160.0/24

 conn LabMPLS-drago-voip
        left=172.16.1.129
        leftid=@concentrador-drago.foo.com
        leftsubnet=10.87.0.0/16
        rightsubnet=10.12.160.168/29
        esp=null-sha1-modp2048!
        compress=no

 conn Lab2MPLS-vera-voip
        left=172.19.1.130
        leftid=@concentrador-vera.foo.com
        leftsubnet=10.87.0.0/16
        right=172.19.1.1
        rightsubnet=10.22.160.168/29
        esp=null-sha1-modp2048!
        compress=no

 strongswan.conf:

 charon {

        # number of worker threads in charon
        threads = 16

        # send strongswan vendor ID?
        # send_vendor_id = yes

        retransmit_timeout = 1
        retransmit_base = 1.8
        retransmit_tries = 4
        install_routes = yes   #I know that yes is the default, but I tried 
 this anyway

        plugins {

                sql {
                        # loglevel to log into sql database
                        loglevel = -1

                        # URI to the database
                        # database = sqlite:///path/to/file.db
                        # database = mysql://user:password@localhost/database
                }
        }

        # ...
 }

 pluto {

 }

 libstrongswan {

        #  set to no, the DH exponent size is optimized
        #  dh_exponent_ansi_x9_42 = no
 }

 ip addr show:
 1: lo: LOOPBACK,UP,LOWER_UP mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast
 state UP qlen 1000
    link/ether 00:16:3e:9e:5f:51 brd ff:ff:ff:ff:ff:ff
    inet 10.12.160.254/24 brd 10.12.160.255 scope global eth0
 3: eth1: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast
 state UP qlen 1000
    link/ether 00:16:3e:9e:5f:52 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.1/25 brd 172.16.1.127 scope global eth1
 4: eth2: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast
 state UP qlen 1000
    link/ether 00:16:3e:9e:6f:52 brd ff:ff:ff:ff:ff:ff
    inet 172.19.1.1/25 brd 172.19.1.127 scope global eth2
 5: eth3: BROADCAST,MULTICAST mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:16:3e:9e:7f:52 brd ff:ff:ff:ff:ff:f

 ip route show:
 1: lo: LOOPBACK,UP,LOWER_UP mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast
 state UP qlen 1000
    link/ether 00:16:3e:9e:5f:51 brd ff:ff:ff:ff:ff:ff
    inet 10.12.160.254/24 brd 10.12.160.255 scope global eth0
 3: eth1: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast
 state UP qlen 1000
    link/ether 00:16:3e:9e:5f:52 brd ff:ff:ff:ff:ff:ff
    inet 172.16.1.1/25 brd 172.16.1.127 scope global eth1
 4: eth2: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast
 state UP qlen 1000
    link/ether 00:16:3e:9e:6f:52 brd ff:ff:ff:ff:ff:ff
    inet 172.19.1.1/25 brd 172.19.1.127 scope global eth2
 5: eth3: BROADCAST,MULTICAST mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 00:16:3e:9e:7f:52 brd ff:ff:ff:ff:ff:f

 ip route show table 220:
 [empty]



 Regards,
  Diego
 --
 Diego Woitasen


Having a look at the code I discovered that Charon sets
mode=MODE_TRANSPORT is IP_COMP is used. Why? It doesn't have any sense
for me.

And if there is a good reason, Charon should consider this situation
to set the routers anyway.

Shall I report a bug?

Regards,
 Diego

-- 
Diego Woitasen

___
Users mailing list