[Swan] To assign an ip to XFRM interface

Thu, 12 Dec 2024 03:00:42 -0800 

Hello
Try to setup "Routed IPsec" using XFRM interface in libreswan 5.1 built from sources, OS is RHEL9 clone, kernel 5.14. Want to make ipsec1 interface with ip 172.24.130.1 

A part of configuration:

conn solvospb
        type=tunnel
        auto=start
        authby=secret
        keyexchange=ikev2
# Remote site
        right=A.B.C.D
        rightsubnets=172.16.80.0/20,172.24.96.0/19
# Local site
        left=%defaultroute
        leftsubnets=172.24.129.0/24,172.24.130.1/32
        ipsec-interface=1
        interface-ip=172.24.130.1/32
...


Tunnel starts up successfully, ipsec1 interface is up and running, 
routes is up, traffic between 172.24.129.0/24 and 
172.16.80.0/20,172.24.96.0/19 passing. But ipsec1 does not have any ipv4 
address assigned


# ip ro sh dev ipsec1
172.16.80.0/20 scope link
172.24.96.0/19 scope link

# ip ad sh dev ipsec1

20: ipsec1@eth0: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state 
UNKNOWN group default qlen 1000

    link/none
    inet6 fe80::f279:d044:680:b750/64 scope link stable-privacy
       valid_lft forever preferred_lft forever

Logs:


Dec 12 10:26:27.051519: | "solvospb/1x1" #1282: kernel_ops_policy_add() 
 XFRM_MSG_UPDPOLICY for flow IPv4 (fwd) had A policy
Dec 12 10:26:27.051526: | "solvospb/1x1" #1282: 
add_kernel_ipsec_interface_address() ...
Dec 12 10:26:27.051533: | "solvospb/1x1" #1282:   no CIDR found on 
connection for ipsec-interface ipsec1@eth0
Dec 12 10:26:27.051556: | "solvospb/1x1" #1282:   no CIDR to set on 
ipsec-interface ipsec1 ID 1
Dec 12 10:26:27.051561: | "solvospb/1x1" #1282: 
ipsec:kernel_ipsec_interface_up() ipsec1 ...
Dec 12 10:26:27.051568: | "solvospb/1x1" #1282: 
xfrm_ipsec_interface_up() if_name ipsec1
Dec 12 10:26:27.051613: | "solvospb/1x1" #1282: 
simple_netlink_op() xfrm_ipsec_interface_up ipsec1
Dec 12 10:26:27.051618: | "solvospb/1x1" #1282:         opening 
non-blocking netlink socket
Dec 12 10:26:27.051852: | "solvospb/1x1" #1282:         sent 32 byte 
netlink message
Dec 12 10:26:27.051866: | "solvospb/1x1" #1282:         reading into 
32768 byte buffer
Dec 12 10:26:27.051879: | "solvospb/1x1" #1282: 
simple_netlink_op() succeded for xfrm_ipsec_interface_up ipsec1


If I manually add ip address to running ipsec1, it works as expected


I look a while at source code and found that correct config option 
should be 'leftinterface-ip' or 'rightinterface-ip'. It's looks strange 
as an ipsec interface is local ('left' in my case), it can't be fired up 
remotely (at 'right' side). And non-working 'interface-ip' option is 
accepted by the pluto config parser w/o any warning


With 'leftinterface-ip=172.24.130.1/32' the ip address is assigned to ipsec1

Can anyone clarify this?

Regards, Ivan
_______________________________________________
Swan mailing list -- [email protected]
To unsubscribe send an email to [email protected]














    











					Reply via email to