[strongSwan] Passthrough Connection

Christian Hanster christian-hanster at gmx.de
Fri Sep 4 19:51:30 CEST 2015


Hello Noel,

the arping is working: 
arping -I p5p1 -D 10.1.13.100
ARPING 10.1.13.100 from 0.0.0.0 p5p1
Unicast reply from 10.1.13.100 [00:25:4B:CD:F4:64]  0.984ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)

In the meantime I have completely reinstalled the Gateway with a fresh Ubuntu 14.04. That did not solve the problem. Than I changed the log level  of charon and there is something really strange: 

 received stroke: add connection 'passthrough'
Sep  4 19:38:55 pceapu-2 charon: 08[CFG] left nor right host is our side, assuming left=local
Sep  4 19:38:55 pceapu-2 charon: 08[CFG] added configuration 'passthrough'
Sep  4 19:38:55 pceapu-2 charon: 10[CFG] received stroke: route 'passthrough'
Sep  4 19:38:55 pceapu-2 charon: 10[KNL] adding policy 10.1.13.0/24 === 10.1.13.0/24 out  (mark 0/0x00000000)
Sep  4 19:38:55 pceapu-2 charon: 10[KNL] adding policy 10.1.13.0/24 === 10.1.13.0/24 in  (mark 0/0x00000000)
Sep  4 19:38:55 pceapu-2 charon: 10[KNL] adding policy 10.1.13.0/24 === 10.1.13.0/24 fwd  (mark 0/0x00000000)
Sep  4 19:38:55 pceapu-2 charon: 10[KNL] getting a local address in traffic selector 10.1.13.0/24
Sep  4 19:38:55 pceapu-2 charon: 10[KNL] using host 10.1.13.1
Sep  4 19:38:55 pceapu-2 charon: 10[KNL] using 192.168.1.1 as nexthop to reach %any
Sep  4 19:38:55 pceapu-2 charon: 10[KNL] 10.1.13.1 is on interface p5p1
Sep  4 19:38:55 pceapu-2 charon: 10[KNL] installing route: 10.1.13.0/24 via 192.168.1.1 src 10.1.13.1 dev p5p1
Sep  4 19:38:55 pceapu-2 charon: 10[KNL] getting iface index for p5p1
Sep  4 19:38:55 pceapu-2 charon: 10[KNL] received netlink error: Network is unreachable (101)
Sep  4 19:38:55 pceapu-2 charon: 10[KNL] unable to install source route for 10.1.13.1

For me it seems like a bug that Strongswan wants to add a route with a next hop in a passthrough connection. At the moment I’m not completely but it seems to produce the error because this route does not makes in my eyes any sense as 192.168.1.1 is reachable via p4p1 interface. 

Kind regards
Christian Hanster
> On 04 Sep 2015, at 19:35, Noel Kuntze <noel at familie-kuntze.de> wrote:
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Sorry, meant ARP, not DPD.
> arping -I eth0 -D <IP>
> 
> - -- 
> 
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
> 
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJV6dZHAAoJEDg5KY9j7GZY2/4P+wQsKYoPaYesMCkTGzvlmy4O
> R4Hq7TLsVekuBakLxxptrt3IE8T2XvTaV2wp16qtIul45SGwHH+34W3RD0IeQJEf
> 8jc3kmuxdeszi9xVxo4HUDf72aBtZOos1v6Wt8UT30Syf2IBLPD1tdSUdlVIrX5X
> 5EVG0/AukWHf0aAZXHi41V6H7wBd6UTd1P9i828OFzYx/4Nz06OK7RR2qV1jPP/g
> 6Bgap0BnfxIc47Hs8CEZWtEMVQaCWfzCSEFAjsyymVNUZVnh2Tt4xRDJPPqoGGmQ
> yoailqdIspZ3AeYmYzcC85/nRCKrjmdTcFXaJ5crEYQ9frjzcIQJ/f+qHLy5d9+J
> 7JLVoEnFPBr2KwUqSJWlt0PhOwfnd4N5D3X5buwNl6+rBpfjgAjKZTvHWMeBc3IB
> OJ2V+0TWb1J+5C2wJaH70MhK6QE5hXFNfg7hGmpGOIGybFksJ2hmnZtN2iuudKaH
> sHapGdwMMQg3noVJPiZ7jDRVQM4sSuW/7TlrxGLOi+ghLFH9HL8zdQYSU1NmQSC8
> v15QmJ+1LMBB/x6gct7yZRci8NtA6fjxK3tMMi9ocqeMES4ix1TA25eFrN+V9mtP
> 4K8SM3CJVf3cXTZK+99T9tnq2/raCsw5X57WXxjSZTGh/+F8k4O3pK8w16FJXfvM
> b2+VSGM+vzncYRH7QZFw
> =PFQz
> -----END PGP SIGNATURE-----
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150904/669a1ce9/attachment-0001.html>


More information about the Users mailing list