Hi all, Is there anyone familiar enough with the source to confirm or correct
me on this premise below? It still seems to me that the addresses presented by
the updown plugin for PLUTO_MY_SOURCEIP are only those from ike_sa_t->my_vips
and unless the responder is able to somehow get addresses in
ỪNSUBSCRIBE PLEASE
On 3/3/2019 at 6:15 AM, "Felipe Arturo Polanco" wrote:You are right
in that, the virtual IPs sent to the initiators are available in
initiator.
If your setup is point to point and not roadwarrior, you can use a
range from .254-.254 and try it out, .253 will be fixed in
You are right in that, the virtual IPs sent to the initiators are available
in initiator.
If your setup is point to point and not roadwarrior, you can use a range
from .254-.254 and try it out, .253 will be fixed in responder. I can't
confirm if this works as I haven't tried it.
If you want to
> On Mar 2, 2019, at 3:48 PM, Felipe Arturo Polanco
> wrote:
>
> Please recheck how you are getting the environment variables, those values
> are definitely there.
>
> Did you try the exact command I sent on my last email? Put that inside the
> temporary updown script, put the shebang on
Please recheck how you are getting the environment variables, those values
are definitely there.
Did you try the exact command I sent on my last email? Put that inside the
temporary updown script, put the shebang on the top and make it executable,
the output file will contain all environment
Thanks Felipe! I had checked that out in the past and there are no values that
are set that could be used in in the script for the same effect (the static
side tunnel endpoint address).
There are two things I am wondering at this point:
Getting this working probably has something to do with
You can extract the env variables information by using the "set" command,
use a temporary updown script that has the following "set > /tmp/output",
after establishing the connection, check that output file both in initiator
and responder and see if the values are as expected, if they are, try to
Hi Felipe,
That use of `left|rightsubnet` was a huge help.
In an effort to automate the address assignment for a larger network (same
theme as the OSPF), I’ve been using the `leftupdown` script in
Hi Brian,
Please try this configuration:
=
Dynamic:
conn site-2-dynamic-ip
left=%defaultroute
leftsubnet=10.10.0.0/22,10.9.255.252/30
leftfirewall=no
right=dy.na.mi.cip
rightsubnet=10.10.4.0/22,10.9.255.252/30
rightid=%specific.example.com
auto=add
Static:
conn
Hi Felipe, thank you for your consideration of this. It took me a bit to create
a diagram:
10.10.0.0/22 10.10.4.0/22
^ ^
v v
+---+
Hi Brian,
Your traffic selectors look strange, left implies the source IP XFRM will
see and right implies the destination IP XFRM will see in order to know if
it has to transform and encrypt that IP packet.
Can you tell us the existing subnets in both sites?
Site 1 with static IP has x.x.x.x
> VTI devices won't change anything. You can't use transport mode with
> any IPs other than those of the endpoints (i.e. it doesn't work with
> virtual IPs or arbitrary subnets - you have to use tunnel mode for that).
Got it, thanks Tobias. But the logs say `06[IKE] not using transport mode, not
Hi Brian,
VTI devices won't change anything. You can't use transport mode with
any IPs other than those of the endpoints (i.e. it doesn't work with
virtual IPs or arbitrary subnets - you have to use tunnel mode for
that). [1] might help to explain these modes to you.
Regards,
Tobias
[1]
> unless, you use an additional tunneling protocol like GRE. So for
> transport mode you will have to use %dynamic (optional with
> protocol/port) as traffic selector.
Thanks Tobias. After spending the last couple of solid days on this, I’m a
little closer to a solution. Reading parts of the
Hi Brian,
> I am using `type=transport`
You can't use transport mode to tunnel traffic from IPs other than the
two hosts themselves (that's exactly what tunnel mode is for where the
complete IP packet, including the original header, is encapsulated),
unless, you use an additional tunneling
[Apologies for accidentally hitting send on previous email…]
Hi all, I’m trying to resolve an issue with traffic selection and am running
out of ideas on how to do so. Hopefully someone here can recognize what I am
doing wrong. My two endpoints are `strongSwan 5.7.2, Linux
16 matches
Mail list logo
