<div dir="ltr"><div><div>So, the latest branch was built, started but there are 2 questions:<br></div><b>First.</b> After strongswan with forecast plug-in is started, the following is appeared:<br><br>0.2131s / 2079 times in lock created at: dumping 7 stack frame addresses:<br> /usr/lib/ipsec/libstrongswan.so.0 @ 0xb7708000 [0xb774aee5]<br> -> /home/gateadmin/files/source/vpn/ipsec/strongswan/forecast/strongswan/src/libstrongswan/threading/thread.c:256<br> /usr/lib/ipsec/libstrongswan.so.0 @ 0xb7708000 (thread_create+0x15) [0xb774b315]<br> -> /home/gateadmin/files/source/vpn/ipsec/strongswan/forecast/strongswan/src/libstrongswan/threading/thread.c:323<br> /usr/lib/ipsec/libstrongswan.so.0 @ 0xb7708000 [0xb773adab]<br> -> /home/gateadmin/files/source/vpn/ipsec/strongswan/forecast/strongswan/src/libstrongswan/processing/processor.c:446<br> /usr/lib/ipsec/libcharon.so.0 @ 0xb75f4000 [0xb760ad4f]<br> -> /home/gateadmin/files/source/vpn/ipsec/strongswan/forecast/strongswan/src/libcharon/daemon.c:556<br> /usr/local/libexec/ipsec/charon @ 0x8048000 [0x804990a]<br> -> /home/gateadmin/files/source/vpn/ipsec/strongswan/forecast/strongswan/src/charon/charon.c:104<br> /lib/i386-linux-gnu/libc.so.6 @ 0xb7419000 (__libc_start_main+0xf3) [0xb7432a83]<br><br>in other time:<br><br>No leaks detected, 47 suppressed by whitelist<br>0.1117s / 2924 times in lock created at: dumping 5 stack frame addresses:<br> /usr/lib/ipsec/libstrongswan.so.0 @ 0xb76ab000 (leak_detective_create+0x77) [0xb76f0c87]<br> -> /home/gateadmin/files/source/vpn/ipsec/strongswan/forecast/strongswan/src/libstrongswan/utils/leak_detective.c:594<br> /usr/lib/ipsec/libstrongswan.so.0 @ 0xb76ab000 (library_init+0xd2) [0xb76c2f12]<br> -> /home/gateadmin/files/source/vpn/ipsec/strongswan/forecast/strongswan/src/libstrongswan/library.c:278<br> /usr/local/libexec/ipsec/starter @ 0x8048000 [0x8049b23]<br> -> /home/gateadmin/files/source/vpn/ipsec/strongswan/forecast/strongswan/src/starter/starter.c:428<br> /lib/i386-linux-gnu/libc.so.6 @ 0xb74b3000 (__libc_start_main+0xf3) [0xb74cca83]<br> -> /build/buildd/eglibc-2.19/csu/libc-start.c:321<br> /usr/local/libexec/ipsec/starter @ 0x8048000 [0x804abc6]<br> -> ??:?<br><br></div>But strongswan started and connection could be established.<br>Is it normal ?<br><div><br><b><br></b></div><div><b>So, next question</b> is I watched by <i>tcpdump src road-warrior IP</i>, but after started strongswan with forecast, there weren' t any packet at all, but <u>NetBios bcasts would have to be anyway</u>.<br></div><div>Part of ipsec.conf:<br>leftsubnet=<a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a><br>rightsourceip=192.168.0.201-192.168.0.215<br><br></div><div>and no rightsubnet and leftfirewall<br><br></div><div>and strongswan.conf, partly:<br>load = .... forecast<br><br>plugins {<br> attr {<br> poolname = 192.168.0.201-192.168.0.215<br> dns = 192.168.0.254<br> }<br> dhcp {<br> server = 192.168.0.255<br> force_server_address = yes<br> }<br> systime-fix {<br> threshold=2014<br> interval=300<br> }<br> forecast {<br> interface=lan0<br> groups=224.10.0.1,224.10.0.2<br> reinject=ikev2_cert_eap-mschapv2<br> }<br> }<br><br></div><div>What is wrong ?<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2015-01-22 16:39 GMT+03:00 Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org" target="_blank">martin@strongswan.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Please keep the discussion on the mailing list, thanks.<br>
<span class=""><br>
> So, but can you send or place 5.2.2 release (or later) code with your<br>
> plau-in.<br>
<br>
</span>No, the plugin is not part of 5.2.2 or any other release. You'll have to<br>
build from the forecast git branch [1].<br>
<span class=""><br>
> And does it really allow to transfer broadcast (in particular to dest<br>
> 255.255.255.255) from/to road-warrior ?<br>
<br>
</span>Yes, that's the intention. The plugin is still experimental, but your<br>
feedback is welcome.<br>
<span class=""><br>
> And the second question was about multiple connections from clients behind<br>
> the same NAT using l2tp/psk/cert.<br>
<br>
</span>Take a look at the connmark plugin/branch [2]. It's experimental and not<br>
part of mainline yet, but it allows you to bind Netfilter conntrack<br>
session to individual transport mode peers behind the same NAT router.<br>
<br>
As there is no documentation for these plugins so far, please refer to<br>
the NEWS file changes and the two KVM test cases.<br>
<br>
Regards<br>
Martin<br>
<br>
[1]<a href="http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/forecast" target="_blank">http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/forecast</a><br>
[2]<a href="http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/connmark" target="_blank">http://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/connmark</a><br>
<br>
</blockquote></div><br></div>