[strongSwan] Charon doesn't set the routes
Diego Woitasen
diego at woitasen.com.ar
Fri Sep 30 13:12:49 CEST 2011
Hi,
I have the configure below. I don't know why Charon doesn't set the
routes after SA establishment. It's a net-to-net tunnel and works
perfectly for hosts behind the gateway but if I want to connect from
one of the gateways to a host behind the peer I have to configure the
route with "src" manually. In the IRC someone told me that Charon set
the "src" in the route if it detects that one of the
[left|right]subnet matches the IP if one of the interfaces.
ipsec.conf:
config setup
crlcheckinterval=30
cachecrls=yes
strictcrlpolicy=no
plutostart=no
hidetos=no
charondebug="knl 1"
conn %default
ikelifetime=8h
lifetime=8h
rekeymargin=10m
keyingtries=3
keyexchange=ikev2
mobike=yes
dpddelay=5
dpdaction=clear
authby=rsasig
auto=add
ike=aes128-sha1-modp2048!
esp=aes128-sha1-modp2048!
leftsubnet=10.0.0.0/8
right=%defaultroute
rightid=@nodo668.foo.com
rightcert=nodo668-cert.pem
rightsubnet=10.12.160.0/24
compress=yes
conn LabMPLS-drago
left=172.16.1.129
leftid=@concentrador-drago.foo.com
conn Lab2MPLS-vera
left=172.19.1.130
leftid=@concentrador-vera.foo.com
right=172.19.1.1
rightsubnet=10.22.160.0/24
conn LabMPLS-drago-voip
left=172.16.1.129
leftid=@concentrador-drago.foo.com
leftsubnet=10.87.0.0/16
rightsubnet=10.12.160.168/29
esp=null-sha1-modp2048!
compress=no
conn Lab2MPLS-vera-voip
left=172.19.1.130
leftid=@concentrador-vera.foo.com
leftsubnet=10.87.0.0/16
right=172.19.1.1
rightsubnet=10.22.160.168/29
esp=null-sha1-modp2048!
compress=no
strongswan.conf:
charon {
# number of worker threads in charon
threads = 16
# send strongswan vendor ID?
# send_vendor_id = yes
retransmit_timeout = 1
retransmit_base = 1.8
retransmit_tries = 4
install_routes = yes #I know that yes is the default, but I tried this anyway
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
}
# ...
}
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
ip addr show:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:16:3e:9e:5f:51 brd ff:ff:ff:ff:ff:ff
inet 10.12.160.254/24 brd 10.12.160.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:16:3e:9e:5f:52 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.1/25 brd 172.16.1.127 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:16:3e:9e:6f:52 brd ff:ff:ff:ff:ff:ff
inet 172.19.1.1/25 brd 172.19.1.127 scope global eth2
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:16:3e:9e:7f:52 brd ff:ff:ff:ff:ff:f
ip route show:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:16:3e:9e:5f:51 brd ff:ff:ff:ff:ff:ff
inet 10.12.160.254/24 brd 10.12.160.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:16:3e:9e:5f:52 brd ff:ff:ff:ff:ff:ff
inet 172.16.1.1/25 brd 172.16.1.127 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 00:16:3e:9e:6f:52 brd ff:ff:ff:ff:ff:ff
inet 172.19.1.1/25 brd 172.19.1.127 scope global eth2
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:16:3e:9e:7f:52 brd ff:ff:ff:ff:ff:f
ip route show table 220:
[empty]
Regards,
Diego
--
Diego Woitasen
More information about the Users
mailing list