Re: [strongSwan] auto=route with virtual IPs
For posterity: I've opened a ticket for this issue at https://wiki.strongswan.org/issues/2162 Is there any way around this without using updown.sh? Ticket #85 ( https://wiki.strongswan.org/issues/85#note-4) kind of hints at a solution involving two routing tables but doesn't go into great detail. Thanks, Alex On Fri, 28 Oct 2016 at 09:12 Alexander Hillwrote: > Sure, will do. I started that process yesterday but my account is still > awaiting approval :) > > Alex > > On Fri, 28 Oct 2016 at 09:09 Noel Kuntze wrote: > > On 28.10.2016 03:00, Alexander Hill wrote: > > > > Server is running 5.3.5, I've tested 5.5.1 on the client end with and > without the leftsubnet directive. Because this is to do with client-side > routing updates I assume I can leave the server alone? > > Yes, this should only pertain the client. > Curious problem. Mind opening an issue on the issue tracker? > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] auto=route with virtual IPs
Hi Noel, Server is running 5.3.5, I've tested 5.5.1 on the client end with and without the leftsubnet directive. Because this is to do with client-side routing updates I assume I can leave the server alone? Cheers, Alex On Fri, 28 Oct 2016 at 02:10 Noel Kuntzewrote: On 27.10.2016 18:29, Alexander Hill wrote: > I get a route with src explicitly set to my interface's real IP, which has the same effect. What version of strongSwan are you using? -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] auto=route with virtual IPs
On 27.10.2016 18:29, Alexander Hill wrote: > I get a route with src explicitly set to my interface's real IP, which has > the same effect. What version of strongSwan are you using? -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] auto=route with virtual IPs
Hi Noel, Thanks for the suggestion, I tried that. If I remove the leftsubnet directive from the client config, I get a route with src explicitly set to my interface's real IP, which has the same effect. I also tried setting it to the virtual IP pool, and the current virtual IP under lease, to no avail. I'll double check tomorrow but I think one or both of those resulted in no route being added at all. It seems to me like the correct route can only be added at connection time, because it needs the virtual IP that might not have been assigned yet, but the sans-src route is necessary before then to make the trap work. So the route needs to be replaced when a connection is established, but I can't work out how to make strongswan do that. Any other ideas of how to make this work? I know updown.sh is there as a last resort but I'm hoping to stick to simple configuration. Thanks, Alex On Thu, 27 Oct 2016 at 23:49 Noel Kuntzewrote: > > > > 172.16.0.0/16 via 192.168.1.254 dev eth0 proto static src 172.16.0.3 > > > > However if I use auto=route (or run ipsec route and then ipsec up), my > table 220 looks like this: > > > > 172.16.0.0/16 via 192.168.1.254 dev eth0 proto static > > > As I wrote on IRC, that's because of this setting on the client. > > leftsubnet=0.0.0.0/0 > Remove it. > > -- > > Mit freundlichen Grüßen/Kind Regards, > Noel Kuntze > > GPG Key ID: 0x63EC6658 > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 > > > ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] auto=route with virtual IPs
> > 172.16.0.0/16 via 192.168.1.254 dev eth0 proto static src 172.16.0.3 > > However if I use auto=route (or run ipsec route and then ipsec up), my table > 220 looks like this: > > 172.16.0.0/16 via 192.168.1.254 dev eth0 proto static As I wrote on IRC, that's because of this setting on the client. > leftsubnet=0.0.0.0/0 Remove it. -- Mit freundlichen Grüßen/Kind Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 signature.asc Description: OpenPGP digital signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users