[strongSwan] Make strongswan use loopback as src address

Hans-Kristian Bakke hkbakke at gmail.com
Tue May 29 09:00:16 CEST 2012 

Hi

I have a strongswan setup which is working perfectly, except for one issue.
There are two strongswan roadwarriors connecting to a strongswan
gateway in this setup.
I currently have the networks 10.0.[0-7].0/24 and the loopback
10.0.8.1/32 on the gateway. Strongswan automatically selects 10.0.0.1
as the src ip withouth leftsourceip configured on the gateway.
This is an issue, because the tunnels die if I shut down the
10.0.0.0/24 interface. This interface is in no way is necessary for
keeping the tunnels up on the WAN-side of the firewall, making use of
the other subnets which is still up.
Because of this I want strangswan to use a loopback-address as the
src, hoping that this will remove this dependency.
The loopbackinterface is up and running as lo:1 on 10.0.8.1 and is
pingable through the tunnel, but strongswan seems to ignore my
leftsourceip=10.0.8.1 statement and select 10.0.0.1 no matter what I
do.

root at firewall:~# ifconfig lo:1
lo:1      Link encap:Local Loopback
          inet addr:10.0.8.1  Mask:255.255.255.255
          UP LOOPBACK RUNNING  MTU:16436  Metric:1

What I currently have on the gateway:
root at firewall:~# ip route show table 220
10.0.1.2 via 77.106.146.1 dev eth2  proto static  src 10.0.0.1
10.0.1.4 via 77.106.146.1 dev eth2  proto static  src 10.0.0.1

What I want:
root at firewall:~# ip route show table 220
10.0.1.2 via 77.106.146.1 dev eth2  proto static  src 10.0.8,1
10.0.1.4 via 77.106.146.1 dev eth2  proto static  src 10.0.8.1


Gateway config:
# ipsec.conf - strongSwan IPsec configuration file

config setup
        charonstart=yes
        plutostart=no

conn %default
        keyexchange=ikev2
        auth=esp
        authby=pubkey
        mobike=yes
        left=%defaultroute
        leftsourceip=10.0.8.1
        leftauth=pubkey
        leftcert=vpn-serverCert.pem
        rightauth=pubkey
        type=tunnel
        dpdaction=clear
        reauth=no
        ike=aes256-aesxcbc-ecp521!
        esp=aes256gcm16!

conn rw-backup
        leftsubnet=10.0.0.0/20
        right=%any
        rightsourceip=10.0.1.2
        rightid="...taken out..."
        auto=add

conn rw-europa
        leftsubnet=10.0.0.0/20
        right=%any
        rightsourceip=10.0.1.4
        rightid="...taken out..."
        auto=add


Roadwarrior config:
root at backup:~# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration
config setup
        charonstart=yes
        plutostart=no

# Add connections here.
conn %default
        leftcert=uranusCert.pem
        reauth=no
        mobike=yes
        type=tunnel
        dpdaction=restart

conn vpn-server
        keyexchange=ikev2
        auth=esp
        authby=pubkey
        leftauth=pubkey
        left=%defaultroute
        leftsourceip=%config
        rightsubnet=10.0.0.0/20
        right=%vpn.marsboer.net
        rightid="...taken out..."
        auto=start
        ike=aes256-aesxcbc-ecp521!
        esp=aes256gcm16!


Any ideas?

Regards,
Hans-Kristian Bakke

More information about the Users mailing list