[strongSwan] Charon doesn't set the routes

Diego Woitasen diego at woitasen.com.ar
Fri Sep 30 18:52:53 CEST 2011 

On Fri, Sep 30, 2011 at 8:12 AM, Diego Woitasen <diego at woitasen.com.ar> wrote:
> Hi,
>  I have the configure below. I don't know why Charon doesn't set the
> routes after SA establishment. It's a net-to-net tunnel and works
> perfectly for hosts behind the gateway but if I want to connect from
> one of the gateways to a host behind the peer I have to configure the
> route with "src" manually. In the IRC someone told me that Charon set
> the "src" in the route if it detects that one of the
> [left|right]subnet matches the IP if one of the interfaces.
>
> ipsec.conf:
> config setup
>        crlcheckinterval=30
>        cachecrls=yes
>        strictcrlpolicy=no
>        plutostart=no
>        hidetos=no
>        charondebug="knl 1"
>
> conn %default
>        ikelifetime=8h
>        lifetime=8h
>        rekeymargin=10m
>        keyingtries=3
>        keyexchange=ikev2
>        mobike=yes
>        dpddelay=5
>        dpdaction=clear
>        authby=rsasig
>        auto=add
>        ike=aes128-sha1-modp2048!
>        esp=aes128-sha1-modp2048!
>        leftsubnet=10.0.0.0/8
>        right=%defaultroute
>        rightid=@nodo668.foo.com
>        rightcert=nodo668-cert.pem
>        rightsubnet=10.12.160.0/24
>        compress=yes
>
> conn LabMPLS-drago
>        left=172.16.1.129
>        leftid=@concentrador-drago.foo.com
>
> conn Lab2MPLS-vera
>        left=172.19.1.130
>        leftid=@concentrador-vera.foo.com
>        right=172.19.1.1
>        rightsubnet=10.22.160.0/24
>
> conn LabMPLS-drago-voip
>        left=172.16.1.129
>        leftid=@concentrador-drago.foo.com
>        leftsubnet=10.87.0.0/16
>        rightsubnet=10.12.160.168/29
>        esp=null-sha1-modp2048!
>        compress=no
>
> conn Lab2MPLS-vera-voip
>        left=172.19.1.130
>        leftid=@concentrador-vera.foo.com
>        leftsubnet=10.87.0.0/16
>        right=172.19.1.1
>        rightsubnet=10.22.160.168/29
>        esp=null-sha1-modp2048!
>        compress=no
>
> strongswan.conf:
>
> charon {
>
>        # number of worker threads in charon
>        threads = 16
>
>        # send strongswan vendor ID?
>        # send_vendor_id = yes
>
>        retransmit_timeout = 1
>        retransmit_base = 1.8
>        retransmit_tries = 4
>        install_routes = yes   #I know that yes is the default, but I tried this anyway
>
>        plugins {
>
>                sql {
>                        # loglevel to log into sql database
>                        loglevel = -1
>
>                        # URI to the database
>                        # database = sqlite:///path/to/file.db
>                        # database = mysql://user:password@localhost/database
>                }
>        }
>
>        # ...
> }
>
> pluto {
>
> }
>
> libstrongswan {
>
>        #  set to no, the DH exponent size is optimized
>        #  dh_exponent_ansi_x9_42 = no
> }
>
> ip addr show:
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>    inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>    link/ether 00:16:3e:9e:5f:51 brd ff:ff:ff:ff:ff:ff
>    inet 10.12.160.254/24 brd 10.12.160.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>    link/ether 00:16:3e:9e:5f:52 brd ff:ff:ff:ff:ff:ff
>    inet 172.16.1.1/25 brd 172.16.1.127 scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>    link/ether 00:16:3e:9e:6f:52 brd ff:ff:ff:ff:ff:ff
>    inet 172.19.1.1/25 brd 172.19.1.127 scope global eth2
> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
>    link/ether 00:16:3e:9e:7f:52 brd ff:ff:ff:ff:ff:f
>
> ip route show:
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>    inet 127.0.0.1/8 scope host lo
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>    link/ether 00:16:3e:9e:5f:51 brd ff:ff:ff:ff:ff:ff
>    inet 10.12.160.254/24 brd 10.12.160.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>    link/ether 00:16:3e:9e:5f:52 brd ff:ff:ff:ff:ff:ff
>    inet 172.16.1.1/25 brd 172.16.1.127 scope global eth1
> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>    link/ether 00:16:3e:9e:6f:52 brd ff:ff:ff:ff:ff:ff
>    inet 172.19.1.1/25 brd 172.19.1.127 scope global eth2
> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
>    link/ether 00:16:3e:9e:7f:52 brd ff:ff:ff:ff:ff:f
>
> ip route show table 220:
> [empty]
>
>
>
> Regards,
>  Diego
> --
> Diego Woitasen
>

Having a look at the code I discovered that Charon sets
mode=MODE_TRANSPORT is IP_COMP is used. Why? It doesn't have any sense
for me.

And if there is a good reason, Charon should consider this situation
to set the routers anyway.

Shall I report a bug?

Regards,
 Diego

-- 
Diego Woitasen

More information about the Users mailing list