On Fri, Sep 30, 2011 at 8:12 AM, Diego Woitasen <di...@woitasen.com.ar> wrote: > Hi, > I have the configure below. I don't know why Charon doesn't set the > routes after SA establishment. It's a net-to-net tunnel and works > perfectly for hosts behind the gateway but if I want to connect from > one of the gateways to a host behind the peer I have to configure the > route with "src" manually. In the IRC someone told me that Charon set > the "src" in the route if it detects that one of the > [left|right]subnet matches the IP if one of the interfaces. > > ipsec.conf: > config setup > crlcheckinterval=30 > cachecrls=yes > strictcrlpolicy=no > plutostart=no > hidetos=no > charondebug="knl 1" > > conn %default > ikelifetime=8h > lifetime=8h > rekeymargin=10m > keyingtries=3 > keyexchange=ikev2 > mobike=yes > dpddelay=5 > dpdaction=clear > authby=rsasig > auto=add > ike=aes128-sha1-modp2048! > esp=aes128-sha1-modp2048! > leftsubnet=10.0.0.0/8 > right=%defaultroute > rightid=@nodo668.foo.com > rightcert=nodo668-cert.pem > rightsubnet=10.12.160.0/24 > compress=yes > > conn LabMPLS-drago > left=172.16.1.129 > leftid=@concentrador-drago.foo.com > > conn Lab2MPLS-vera > left=172.19.1.130 > leftid=@concentrador-vera.foo.com > right=172.19.1.1 > rightsubnet=10.22.160.0/24 > > conn LabMPLS-drago-voip > left=172.16.1.129 > leftid=@concentrador-drago.foo.com > leftsubnet=10.87.0.0/16 > rightsubnet=10.12.160.168/29 > esp=null-sha1-modp2048! > compress=no > > conn Lab2MPLS-vera-voip > left=172.19.1.130 > leftid=@concentrador-vera.foo.com > leftsubnet=10.87.0.0/16 > right=172.19.1.1 > rightsubnet=10.22.160.168/29 > esp=null-sha1-modp2048! > compress=no > > strongswan.conf: > > charon { > > # number of worker threads in charon > threads = 16 > > # send strongswan vendor ID? > # send_vendor_id = yes > > retransmit_timeout = 1 > retransmit_base = 1.8 > retransmit_tries = 4 > install_routes = yes #I know that yes is the default, but I tried > this anyway > > plugins { > > sql { > # loglevel to log into sql database > loglevel = -1 > > # URI to the database > # database = sqlite:///path/to/file.db > # database = mysql://user:password@localhost/database > } > } > > # ... > } > > pluto { > > } > > libstrongswan { > > # set to no, the DH exponent size is optimized > # dh_exponent_ansi_x9_42 = no > } > > ip addr show: > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP qlen 1000 > link/ether 00:16:3e:9e:5f:51 brd ff:ff:ff:ff:ff:ff > inet 10.12.160.254/24 brd 10.12.160.255 scope global eth0 > 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP qlen 1000 > link/ether 00:16:3e:9e:5f:52 brd ff:ff:ff:ff:ff:ff > inet 172.16.1.1/25 brd 172.16.1.127 scope global eth1 > 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP qlen 1000 > link/ether 00:16:3e:9e:6f:52 brd ff:ff:ff:ff:ff:ff > inet 172.19.1.1/25 brd 172.19.1.127 scope global eth2 > 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 > link/ether 00:16:3e:9e:7f:52 brd ff:ff:ff:ff:ff:f > > ip route show: > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP qlen 1000 > link/ether 00:16:3e:9e:5f:51 brd ff:ff:ff:ff:ff:ff > inet 10.12.160.254/24 brd 10.12.160.255 scope global eth0 > 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP qlen 1000 > link/ether 00:16:3e:9e:5f:52 brd ff:ff:ff:ff:ff:ff > inet 172.16.1.1/25 brd 172.16.1.127 scope global eth1 > 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast > state UP qlen 1000 > link/ether 00:16:3e:9e:6f:52 brd ff:ff:ff:ff:ff:ff > inet 172.19.1.1/25 brd 172.19.1.127 scope global eth2 > 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 > link/ether 00:16:3e:9e:7f:52 brd ff:ff:ff:ff:ff:f > > ip route show table 220: > [empty] > > > > Regards, > Diego > -- > Diego Woitasen >
Having a look at the code I discovered that Charon sets mode=MODE_TRANSPORT is IP_COMP is used. Why? It doesn't have any sense for me. And if there is a good reason, Charon should consider this situation to set the routers anyway. Shall I report a bug? Regards, Diego -- Diego Woitasen _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users