[strongSwan] Adding unity_split_include breaks SA negotiation

Tobias Brunner tobias at strongswan.org
Fri Apr 13 10:38:49 CEST 2012


Hi Rick,

The problem is that Pluto doesn't have native support for the
UNITY_SPLIT_INCLUDE attribute.  With the attr plugin it can assign it to
clients but it doesn't know about the assigned subnets.  So, what you
have to do is to add conn sections for each of these nets (with
also=IPTClient you can just set leftsubnet in each).

What I can't really explain is this:

> Apr  4 08:22:05 sv-cloud-testbed-02-concentrator pluto[29576]: | our client is subnet 16.0.0.0/4
> Apr  4 08:22:05 sv-cloud-testbed-02-concentrator pluto[29576]: | our client protocol/port is 0/0
> Apr  4 08:22:05 sv-cloud-testbed-02-concentrator pluto[29576]: | no valid attribute cert found
> Apr  4 08:22:05 sv-cloud-testbed-02-concentrator pluto[29576]: | find_client_connection starting with IPTClient
> Apr  4 08:22:05 sv-cloud-testbed-02-concentrator pluto[29576]: |   looking for 0.0.0.0/0:0/0 -> 10.200.0.1/32:0/0

>From how I read the code the subnet listed on the first line above
should also be seen on the last line (left of ->).  What strongSwan
version do you use?  Did you patch it in any way?

Regards,
Tobias




More information about the Users mailing list