subject:"Re\: \[strongSwan\] auto=route with virtual IPs"

Re: [strongSwan] auto=route with virtual IPs

2016-11-01 Thread Alexander Hill

For posterity: I've opened a ticket for this issue at
https://wiki.strongswan.org/issues/2162

Is there any way around this without using updown.sh? Ticket #85 (
https://wiki.strongswan.org/issues/85#note-4) kind of hints at a solution
involving two routing tables but doesn't go into great detail.

Thanks,
Alex

On Fri, 28 Oct 2016 at 09:12 Alexander Hill  wrote:

> Sure, will do. I started that process yesterday but my account is still
> awaiting approval :)
>
> Alex
>
> On Fri, 28 Oct 2016 at 09:09 Noel Kuntze  wrote:
>
> On 28.10.2016 03:00, Alexander Hill wrote:
> >
> > Server is running 5.3.5, I've tested 5.5.1 on the client end with and
> without the leftsubnet directive. Because this is to do with client-side
> routing updates I assume I can leave the server alone?
>
> Yes, this should only pertain the client.
> Curious problem. Mind opening an issue on the issue tracker?
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] auto=route with virtual IPs

2016-10-27 Thread Alexander Hill

Hi Noel,

Server is running 5.3.5, I've tested 5.5.1 on the client end with and
without the leftsubnet directive. Because this is to do with client-side
routing updates I assume I can leave the server alone?

Cheers,
Alex

On Fri, 28 Oct 2016 at 02:10 Noel Kuntze  wrote:

On 27.10.2016 18:29, Alexander Hill wrote:
> I get a route with src explicitly set to my interface's real IP, which
has the same effect.

What version of strongSwan are you using?
--

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] auto=route with virtual IPs

2016-10-27 Thread Noel Kuntze

On 27.10.2016 18:29, Alexander Hill wrote:
> I get a route with src explicitly set to my interface's real IP, which has 
> the same effect.

What version of strongSwan are you using?
-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] auto=route with virtual IPs

2016-10-27 Thread Alexander Hill

Hi Noel,

Thanks for the suggestion, I tried that. If I remove the leftsubnet
directive from the client config, I get a route with src explicitly set to
my interface's real IP, which has the same effect. I also tried setting it
to the virtual IP pool, and the current virtual IP under lease, to no
avail. I'll double check tomorrow but I think one or both of those resulted
in no route being added at all.

It seems to me like the correct route can only be added at connection time,
because it needs the virtual IP that might not have been assigned yet, but
the sans-src route is necessary before then to make the trap work. So the
route needs to be replaced when a connection is established, but I can't
work out how to make strongswan do that.

Any other ideas of how to make this work? I know updown.sh is there as a
last resort but I'm hoping to stick to simple configuration.

Thanks,
Alex

On Thu, 27 Oct 2016 at 23:49 Noel Kuntze  wrote:

> >
> > 172.16.0.0/16 via 192.168.1.254 dev eth0 proto static src 172.16.0.3
> >
> > However if I use auto=route (or run ipsec route and then ipsec up), my
> table 220 looks like this:
> >
> > 172.16.0.0/16 via 192.168.1.254 dev eth0 proto static
>
>
> As I wrote on IRC, that's because of this setting on the client.
> > leftsubnet=0.0.0.0/0
> Remove it.
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] auto=route with virtual IPs

2016-10-27 Thread Noel Kuntze

> 
> 172.16.0.0/16 via 192.168.1.254 dev eth0 proto static src 172.16.0.3
> 
> However if I use auto=route (or run ipsec route and then ipsec up), my table 
> 220 looks like this:
> 
> 172.16.0.0/16 via 192.168.1.254 dev eth0 proto static


As I wrote on IRC, that's because of this setting on the client.
> leftsubnet=0.0.0.0/0
Remove it.

-- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658




signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] auto=route with virtual IPs

Re: [strongSwan] auto=route with virtual IPs

Re: [strongSwan] auto=route with virtual IPs

Re: [strongSwan] auto=route with virtual IPs

Re: [strongSwan] auto=route with virtual IPs

5 matches

Site Navigation

Mail list logo

Footer information