[strongSwan] Problem connecting to a Cisco Unity gateway

Bas van Dijk v.dijk.bas at gmail.com
Fri Mar 20 18:08:01 CET 2015


I think I understand what I'm doing wrong: strongswan only inserts a
route if a local IP address can be found in the subnet
172.16.48.16/28. I currently don't have an IP address in that subnet
assigned to an interface on my system so no route gets installed.

So IIUC to fix this I need to add an IP address within the
172.16.48.16/28 subnet (for example 172.16.48.17) to some interface in
my system.

My question now is to which interface should I attach 172.16.48.17?

I don't think I should attach it to eth0 since that is connected to
the internet and I don't think you should attach local addresses to an
internet connected interface.

Should I create some virtual interface (tun/tap) and attach it to that?

Thanks for bearing with me so far!

Bas


On 20 March 2015 at 17:50, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
> I forgot to mention that I see the following in the log:
>
> Mar 20 17:36:42 zeus charon[4136]: 14[KNL] getting a local address in
> traffic selector 172.16.48.16/28
> Mar 20 17:36:42 zeus charon[4136]: 14[KNL] no local address found in
> traffic selector 172.16.48.16/28
>
> On 20 March 2015 at 17:48, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
>> Hi Tobias,
>>
>> Sorry for the late reply.
>>
>> It seems my strongswan doesn't setup the route since `ip route list
>> table 220` doesn't show anything. I think I'm suffering from bug:
>> https://wiki.strongswan.org/issues/197.
>>
>> As a work-around I will try to manually add the route:
>>
>>   10.180.0.0/16 via <default GW> dev eth0 proto static src 172.16.48.16
>>
>> Cheers,
>>
>> Bas
>>
>> On 18 February 2015 at 17:03, Tobias Brunner <tobias at strongswan.org> wrote:
>>> Hi Bas,
>>>
>>>> So am I right that the only thing left to do is configure my system so
>>>> that packets to hosts on the 10.180.0.0/24 subnet appear to come from
>>>> a host on the 172.16.48.16/28 subnet?
>>>>
>>>> To accomplish this I already added the additional IP address
>>>> 172.16.48.16 to my NIC (besides the DHCP configured 192.168.42.162).
>>>>
>>>> What's the next step? Do I need to add a route or some iptables rule?
>>>
>>> strongSwan should find the address you added to the NIC and install an
>>> appropriate route to routing table 220 automatically.  You may check
>>> with `ip route list table 220`.  This route will look similar to this:
>>>
>>>   10.180.0.0/16 via <default GW> dev eth0 proto static src 172.16.48.16
>>>
>>> This should force 172.16.48.16 as source address for packets sent to
>>> hosts in 10.180.0.0/16.  (Depending on how the other peer is configured
>>> you might want to try a different IP from your source subnet e.g. .17,
>>> because .16 is the network ID, while .31 is the broadcast address).
>>>
>>> Regards,
>>> Tobias
>>>


More information about the Users mailing list