[strongSwan] Make strongswan use loopback as src address
Hans-Kristian Bakke
hkbakke at gmail.com
Tue May 29 15:24:08 CEST 2012
Just to make it clear: my real issue is not with the loopback. It is
that "leftsourceip=10.0.8.1" doesn't appear to have any effect.
Regards,
Hans-Kristian Bakke
On Tue, May 29, 2012 at 9:00 AM, Hans-Kristian Bakke <hkbakke at gmail.com> wrote:
> Hi
>
> I have a strongswan setup which is working perfectly, except for one issue.
> There are two strongswan roadwarriors connecting to a strongswan
> gateway in this setup.
> I currently have the networks 10.0.[0-7].0/24 and the loopback
> 10.0.8.1/32 on the gateway. Strongswan automatically selects 10.0.0.1
> as the src ip withouth leftsourceip configured on the gateway.
> This is an issue, because the tunnels die if I shut down the
> 10.0.0.0/24 interface. This interface is in no way is necessary for
> keeping the tunnels up on the WAN-side of the firewall, making use of
> the other subnets which is still up.
> Because of this I want strangswan to use a loopback-address as the
> src, hoping that this will remove this dependency.
> The loopbackinterface is up and running as lo:1 on 10.0.8.1 and is
> pingable through the tunnel, but strongswan seems to ignore my
> leftsourceip=10.0.8.1 statement and select 10.0.0.1 no matter what I
> do.
>
> root at firewall:~# ifconfig lo:1
> lo:1 Link encap:Local Loopback
> inet addr:10.0.8.1 Mask:255.255.255.255
> UP LOOPBACK RUNNING MTU:16436 Metric:1
>
> What I currently have on the gateway:
> root at firewall:~# ip route show table 220
> 10.0.1.2 via 77.106.146.1 dev eth2 proto static src 10.0.0.1
> 10.0.1.4 via 77.106.146.1 dev eth2 proto static src 10.0.0.1
>
> What I want:
> root at firewall:~# ip route show table 220
> 10.0.1.2 via 77.106.146.1 dev eth2 proto static src 10.0.8,1
> 10.0.1.4 via 77.106.146.1 dev eth2 proto static src 10.0.8.1
>
>
> Gateway config:
> # ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> charonstart=yes
> plutostart=no
>
> conn %default
> keyexchange=ikev2
> auth=esp
> authby=pubkey
> mobike=yes
> left=%defaultroute
> leftsourceip=10.0.8.1
> leftauth=pubkey
> leftcert=vpn-serverCert.pem
> rightauth=pubkey
> type=tunnel
> dpdaction=clear
> reauth=no
> ike=aes256-aesxcbc-ecp521!
> esp=aes256gcm16!
>
> conn rw-backup
> leftsubnet=10.0.0.0/20
> right=%any
> rightsourceip=10.0.1.2
> rightid="...taken out..."
> auto=add
>
> conn rw-europa
> leftsubnet=10.0.0.0/20
> right=%any
> rightsourceip=10.0.1.4
> rightid="...taken out..."
> auto=add
>
>
> Roadwarrior config:
> root at backup:~# cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
>
> # basic configuration
> config setup
> charonstart=yes
> plutostart=no
>
> # Add connections here.
> conn %default
> leftcert=uranusCert.pem
> reauth=no
> mobike=yes
> type=tunnel
> dpdaction=restart
>
> conn vpn-server
> keyexchange=ikev2
> auth=esp
> authby=pubkey
> leftauth=pubkey
> left=%defaultroute
> leftsourceip=%config
> rightsubnet=10.0.0.0/20
> right=%vpn.marsboer.net
> rightid="...taken out..."
> auto=start
> ike=aes256-aesxcbc-ecp521!
> esp=aes256gcm16!
>
>
> Any ideas?
>
> Regards,
> Hans-Kristian Bakke
More information about the Users
mailing list