[strongSwan] Pluto is adding a second ip rule

Vonlanthen, Elmar Elmar.Vonlanthen at united-security-providers.ch
Fri Nov 4 09:45:35 CET 2011 

Hello all

 

I have a weird problem, that Pluto is adding a second ip rule, even if
the rule is already there.

 

I thought, this happens in the _updown-Script, but even with this
minimal configuration, the rule will be added:

config setup

        charonstart=no

        plutostart=yes

        charondebug=none

        plutodebug=all

 

Before ipsec start:

# ip rule

0:      from all lookup local

100:    from all lookup main

140:    from 10.10.2.0/24 lookup wan0

141:    from 10.100.2.0/24 lookup wan1

300:    from all lookup wan0

 

After ipsec start:

# ip rule

0:      from all lookup local

100:    from all lookup main

100:    from all lookup main

140:    from 10.10.2.0/24 lookup wan0

141:    from 10.100.2.0/24 lookup wan1

300:    from all lookup wan0

 

Strongswan was compiled with "--with-routing-table=254
--with-routing-table-prio=100" (254 is "main").

 

# ipsec version

Linux strongSwan U4.5.3/K2.6.35.10-SMP

Institute for Internet Technologies and Applications

University of Applied Sciences Rapperswil, Switzerland

See 'ipsec --copyright' for copyright information.

 

Why is this behavior and where in the pluto sourcecode does the ip rule
addition happen? Is it added with netlink?

 

This is the log output:

2011-11-04 09:34:19 chgut2fw01 pluto[26284]: listening on interfaces:

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:   eth0

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:     172.16.20.2

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:     172.16.200.1

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:     172.16.20.1

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:   eth1

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:     10.10.2.2

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:     10.10.2.4

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:     10.10.2.5

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:     10.10.2.6

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:     10.10.2.10

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:   eth2

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:     10.10.2.130

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:     10.10.2.129

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:   eth3

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:     10.100.2.2

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:     10.100.2.4

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:     10.100.2.5

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:     10.100.2.6

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:     10.100.2.10

2011-11-04 09:34:19 chgut2fw01 pluto[26284]: received netlink error:
Address family not supported by protocol (97)

2011-11-04 09:34:19 chgut2fw01 pluto[26284]: unable to create IPv6
routing table rule

2011-11-04 09:34:19 chgut2fw01 pluto[26284]: | plugin 'kernel-netlink':
loaded successfully

2011-11-04 09:34:19 chgut2fw01 pluto[26284]: | plugin 'resolve': loaded
successfully

2011-11-04 09:34:19 chgut2fw01 pluto[26284]: loaded plugins: aes des
sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth
attr kernel-netlink resolve

2011-11-04 09:34:19 chgut2fw01 pluto[26284]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds

2011-11-04 09:34:19 chgut2fw01 pluto[26284]:   including NAT-Traversal
patch (Version 0.6c) [disabled]

2011-11-04 09:34:19 chgut2fw01 pluto[26284]: | finish_pfkey_msg:
SADB_REGISTER message 1 for AH

2011-11-04 09:34:19 chgut2fw01 pluto[26284]: |   02 07 00 02  02 00 00
00  01 00 00 00  ac 66 00 00

2011-11-04 09:34:19 chgut2fw01 ipsec_starter[26283]: pluto (26284)
started after 20 ms

 

Thanks.

 

Best regards

Elmar

____________________________

 

Elmar Vonlanthen

Solution Engineer

Dipl. Ing. Informatik FH

 

United Security Providers AG

Stauffacherstrasse 65/15

CH-3014 Bern

 

Phone:          +41 31 959 02 02

Fax:             +41 31 959 02 59

Direct:          +41 31 959 02 85

Mobile:         +41 79 242 25 07

Mail:             elmar.vonlanthen(at)united-security-providers.ch

Web:            http://www.united-security-providers.ch
<http://www.united-security-providers.ch/> 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111104/b0801b82/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5382 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111104/b0801b82/attachment.bin>

More information about the Users mailing list