[strongSwan] need help using aliased interface

Lovett, Geoff Geoff.Lovett at lightningsource.com
Thu Jun 7 23:07:02 CEST 2012

Hello, I'm attempting to use strongswan (4.6.4) in a HA setup with two firewalls configured to be active/standby.  The active firewall gets assigned an aliased IP.  What I'm finding is that despite ipsec.conf containing left=<aliased IP>, strongswan almost always chooses the firewall's own IP to send packets, despite the logs showing it using the aliased IP.  I'm seeing this behavior using tcpdump.  Firewalls on the other side are configured to talk to the aliased IP, and ignore packets from my firewall's IP.

I've noticed that there's an --interface flag for pluto, but I can't find how to pass it in when starting with ipsec start.  IKEv1 is a requirement, as the other side does not support v2.

I tried setting PLUTO_INTERFACE and PLUTO_MY_SOURCEIP in _updown, but it had no effect.

I've also tried SNATing the traffic on the way out, but amazingly, strongswan's traffic bypasses this part of netfilter.  For testing, I used 'iptables -t nat -I POSTROUTING 1  -j SNAT --to <ALIASED IP>', and I could see it getting everything else.

I see that there's a feature request to make this happen for charon (http://wiki.strongswan.org/issues/185).  Is this also missing from pluto?  Any other thoughts on how to solve this?  How are others doing HA with strongswan?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120607/dc2ea49e/attachment.html>

More information about the Users mailing list