[strongSwan] Charon doesn't set the routes

Diego Woitasen diego at woitasen.com.ar
Fri Sep 30 18:57:40 CEST 2011 

On Fri, Sep 30, 2011 at 1:52 PM, Diego Woitasen <diego at woitasen.com.ar> wrote:
> On Fri, Sep 30, 2011 at 8:12 AM, Diego Woitasen <diego at woitasen.com.ar> wrote:
>> Hi,
>>  I have the configure below. I don't know why Charon doesn't set the
>> routes after SA establishment. It's a net-to-net tunnel and works
>> perfectly for hosts behind the gateway but if I want to connect from
>> one of the gateways to a host behind the peer I have to configure the
>> route with "src" manually. In the IRC someone told me that Charon set
>> the "src" in the route if it detects that one of the
>> [left|right]subnet matches the IP if one of the interfaces.
>>
>> ipsec.conf:
>> config setup
>>        crlcheckinterval=30
>>        cachecrls=yes
>>        strictcrlpolicy=no
>>        plutostart=no
>>        hidetos=no
>>        charondebug="knl 1"
>>
>> conn %default
>>        ikelifetime=8h
>>        lifetime=8h
>>        rekeymargin=10m
>>        keyingtries=3
>>        keyexchange=ikev2
>>        mobike=yes
>>        dpddelay=5
>>        dpdaction=clear
>>        authby=rsasig
>>        auto=add
>>        ike=aes128-sha1-modp2048!
>>        esp=aes128-sha1-modp2048!
>>        leftsubnet=10.0.0.0/8
>>        right=%defaultroute
>>        rightid=@nodo668.foo.com
>>        rightcert=nodo668-cert.pem
>>        rightsubnet=10.12.160.0/24
>>        compress=yes
>>
>> conn LabMPLS-drago
>>        left=172.16.1.129
>>        leftid=@concentrador-drago.foo.com
>>
>> conn Lab2MPLS-vera
>>        left=172.19.1.130
>>        leftid=@concentrador-vera.foo.com
>>        right=172.19.1.1
>>        rightsubnet=10.22.160.0/24
>>
>> conn LabMPLS-drago-voip
>>        left=172.16.1.129
>>        leftid=@concentrador-drago.foo.com
>>        leftsubnet=10.87.0.0/16
>>        rightsubnet=10.12.160.168/29
>>        esp=null-sha1-modp2048!
>>        compress=no
>>
>> conn Lab2MPLS-vera-voip
>>        left=172.19.1.130
>>        leftid=@concentrador-vera.foo.com
>>        leftsubnet=10.87.0.0/16
>>        right=172.19.1.1
>>        rightsubnet=10.22.160.168/29
>>        esp=null-sha1-modp2048!
>>        compress=no
>>
>> strongswan.conf:
>>
>> charon {
>>
>>        # number of worker threads in charon
>>        threads = 16
>>
>>        # send strongswan vendor ID?
>>        # send_vendor_id = yes
>>
>>        retransmit_timeout = 1
>>        retransmit_base = 1.8
>>        retransmit_tries = 4
>>        install_routes = yes   #I know that yes is the default, but I tried this anyway
>>
>>        plugins {
>>
>>                sql {
>>                        # loglevel to log into sql database
>>                        loglevel = -1
>>
>>                        # URI to the database
>>                        # database = sqlite:///path/to/file.db
>>                        # database = mysql://user:password@localhost/database
>>                }
>>        }
>>
>>        # ...
>> }
>>
>> pluto {
>>
>> }
>>
>> libstrongswan {
>>
>>        #  set to no, the DH exponent size is optimized
>>        #  dh_exponent_ansi_x9_42 = no
>> }
>>
>> ip addr show:
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>>    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>    inet 127.0.0.1/8 scope host lo
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP qlen 1000
>>    link/ether 00:16:3e:9e:5f:51 brd ff:ff:ff:ff:ff:ff
>>    inet 10.12.160.254/24 brd 10.12.160.255 scope global eth0
>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP qlen 1000
>>    link/ether 00:16:3e:9e:5f:52 brd ff:ff:ff:ff:ff:ff
>>    inet 172.16.1.1/25 brd 172.16.1.127 scope global eth1
>> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP qlen 1000
>>    link/ether 00:16:3e:9e:6f:52 brd ff:ff:ff:ff:ff:ff
>>    inet 172.19.1.1/25 brd 172.19.1.127 scope global eth2
>> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
>>    link/ether 00:16:3e:9e:7f:52 brd ff:ff:ff:ff:ff:f
>>
>> ip route show:
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>>    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>    inet 127.0.0.1/8 scope host lo
>> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP qlen 1000
>>    link/ether 00:16:3e:9e:5f:51 brd ff:ff:ff:ff:ff:ff
>>    inet 10.12.160.254/24 brd 10.12.160.255 scope global eth0
>> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP qlen 1000
>>    link/ether 00:16:3e:9e:5f:52 brd ff:ff:ff:ff:ff:ff
>>    inet 172.16.1.1/25 brd 172.16.1.127 scope global eth1
>> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
>> state UP qlen 1000
>>    link/ether 00:16:3e:9e:6f:52 brd ff:ff:ff:ff:ff:ff
>>    inet 172.19.1.1/25 brd 172.19.1.127 scope global eth2
>> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
>>    link/ether 00:16:3e:9e:7f:52 brd ff:ff:ff:ff:ff:f
>>
>> ip route show table 220:
>> [empty]
>>
>>
>>
>> Regards,
>>  Diego
>> --
>> Diego Woitasen
>>
>
> Having a look at the code I discovered that Charon sets
> mode=MODE_TRANSPORT is IP_COMP is used. Why? It doesn't have any sense
> for me.
>
> And if there is a good reason, Charon should consider this situation
> to set the routers anyway.
>
> Shall I report a bug?
>
> Regards,
>  Diego
>
> --
> Diego Woitasen
>

I forgot to clarify that route is inserted if compress=no. In
kernel_netlink_ipsec.c add_policy methed, the code checks if mode !=
MODE_TRANSPORT to insert to route.

Regards,
 Diego

-- 
Diego Woitasen

More information about the Users mailing list