On Fri, Sep 30, 2011 at 8:12 AM, Diego Woitasen <di...@woitasen.com.ar> wrote:
> Hi,
>  I have the configure below. I don't know why Charon doesn't set the
> routes after SA establishment. It's a net-to-net tunnel and works
> perfectly for hosts behind the gateway but if I want to connect from
> one of the gateways to a host behind the peer I have to configure the
> route with "src" manually. In the IRC someone told me that Charon set
> the "src" in the route if it detects that one of the
> [left|right]subnet matches the IP if one of the interfaces.
> ipsec.conf:
> config setup
>        crlcheckinterval=30
>        cachecrls=yes
>        strictcrlpolicy=no
>        plutostart=no
>        hidetos=no
>        charondebug="knl 1"
> conn %default
>        ikelifetime=8h
>        lifetime=8h
>        rekeymargin=10m
>        keyingtries=3
>        keyexchange=ikev2
>        mobike=yes
>        dpddelay=5
>        dpdaction=clear
>        authby=rsasig
>        auto=add
>        ike=aes128-sha1-modp2048!
>        esp=aes128-sha1-modp2048!
>        leftsubnet=
>        right=%defaultroute
>        rightid=@nodo668.foo.com
>        rightcert=nodo668-cert.pem
>        rightsubnet=
>        compress=yes
> conn LabMPLS-drago
>        left=
>        leftid=@concentrador-drago.foo.com
> conn Lab2MPLS-vera
>        left=
>        leftid=@concentrador-vera.foo.com
>        right=
>        rightsubnet=
> conn LabMPLS-drago-voip
>        left=
>        leftid=@concentrador-drago.foo.com
>        leftsubnet=
>        rightsubnet=
>        esp=null-sha1-modp2048!
>        compress=no
> conn Lab2MPLS-vera-voip
>        left=
>        leftid=@concentrador-vera.foo.com
>        leftsubnet=
>        right=
>        rightsubnet=
>        esp=null-sha1-modp2048!
>        compress=no
> strongswan.conf:
> charon {
>        # number of worker threads in charon
>        threads = 16
>        # send strongswan vendor ID?
>        # send_vendor_id = yes
>        retransmit_timeout = 1
>        retransmit_base = 1.8
>        retransmit_tries = 4
>        install_routes = yes   #I know that yes is the default, but I tried 
> this anyway
>        plugins {
>                sql {
>                        # loglevel to log into sql database
>                        loglevel = -1
>                        # URI to the database
>                        # database = sqlite:///path/to/file.db
>                        # database = mysql://user:password@localhost/database
>                }
>        }
>        # ...
> }
> pluto {
> }
> libstrongswan {
>        #  set to no, the DH exponent size is optimized
>        #  dh_exponent_ansi_x9_42 = no
> }
> ip addr show:
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>    inet scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>    link/ether 00:16:3e:9e:5f:51 brd ff:ff:ff:ff:ff:ff
>    inet brd scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>    link/ether 00:16:3e:9e:5f:52 brd ff:ff:ff:ff:ff:ff
>    inet brd scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>    link/ether 00:16:3e:9e:6f:52 brd ff:ff:ff:ff:ff:ff
>    inet brd scope global eth2
> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
>    link/ether 00:16:3e:9e:7f:52 brd ff:ff:ff:ff:ff:f
> ip route show:
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>    inet scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>    link/ether 00:16:3e:9e:5f:51 brd ff:ff:ff:ff:ff:ff
>    inet brd scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>    link/ether 00:16:3e:9e:5f:52 brd ff:ff:ff:ff:ff:ff
>    inet brd scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>    link/ether 00:16:3e:9e:6f:52 brd ff:ff:ff:ff:ff:ff
>    inet brd scope global eth2
> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
>    link/ether 00:16:3e:9e:7f:52 brd ff:ff:ff:ff:ff:f
> ip route show table 220:
> [empty]
> Regards,
>  Diego
> --
> Diego Woitasen

Having a look at the code I discovered that Charon sets
mode=MODE_TRANSPORT is IP_COMP is used. Why? It doesn't have any sense
for me.

And if there is a good reason, Charon should consider this situation
to set the routers anyway.

Shall I report a bug?


Diego Woitasen

Users mailing list

Reply via email to