[strongSwan] updown script not adding routes

Christian Liebscher lemurenkind at gmail.com
Tue Feb 17 14:16:38 CET 2015


Hello,

I've noticed something about the updown script that doesn't seem right.
With Revision 881e9a7e of src/_updown/_updown.in the description of
PLUTO_NEXT_HOP got removed, because it is not supported by charon. But the
usage still remains and is still there @master. What currently happens is
that the routes are not added at all, because the generated command line
for "iproute2" is not valid.

Starting at line 237:
if [ -n "$PLUTO_NEXT_HOP" ]
then
parms2="via $PLUTO_NEXT_HOP"
else
parms2="via $PLUTO_PEER"
fi
parms2="$parms2 dev $PLUTO_INTERFACE"

This should obviously decide how to add the route to the linux routing
table. If there is at least one router in between both peers, a route via
the next hop has to be set (not directly to the other peer). Because
PLUTO_NEXT_HOP is not supported by charon this script will try to add a
route via the peer itself. The peer, in almost all setups, is not in the
same subnet, so adding this route will fail.

Routing will still work without a specific route, because all packets to
the subnet behind the other peer will take the default route of the system.
But let us assume that we want to ping a client behind a remote peer
directly from our local peer. The packets will find their way, but the
source ip will not be from our local subnet, because the part about the src
ip is obviously also missing (parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*}
table $SOURCEIP_ROUTING_TABLE").

Did I miss something? I've not looked into the issue in more detail.

Regards, Christian Liebscher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150217/c3692429/attachment.html>


More information about the Users mailing list