[strongSwan] roadrunner setup with auto = route
Christoph Anton Mitterer
calestyo at scientia.net
Mon Oct 11 23:44:52 CEST 2010
Hi.
I was setting up a roadrunner setup and stumbled across two things:
1) Manpages and documentation tells that left/rightsubnetwithin would be
of no use with IKEv2, right?
It seems however that it does so and can be used so that both sides must
agree on an assigned virtual IP.
e.g.:
moon:
right=%any
rightallowany=yes
rightid="someDN"
rightsourceip=1.2.3.4
roadrunner:
right* points to moon
left=%defaultroute
leftallowany=no
leftsourceip=%modeconfig
This alone makes (AFAIU) that the roadrunner cannot force an address to
be used by moon (e.g. even when setting leftsourceip=2.2.2.2 => still
1.2.3.4 would be used). But moon can force any address to be used by the
roadrunner, because the responder decides, right?
This might be undesirable for the roadrunner (e.g. when he is specially
secured with some firewall rules or so).
But when one sets on the roadrunnerside:
leftsubnetwithin=1.2.3.4/32
it seems that one can enforce that address to be used. So if moon would
change it, no connection would happen.
Might be worth to add this to the documentation (in case I haven't just
overseen it).
2) What I wanted to do is having auto = add on the moon side and auto =
route on the roadrunner side.
So that the connection is only established when the roadrunner needs it.
But while the ip xfrm policies seem to be set up, no connection seems to
be established when traffic occurs. Or at least nothing changes when
doing an ipsec statusall.
Am I doing anything wrong?
Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5677 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101011/bd22b391/attachment.bin>
More information about the Users
mailing list