[strongSwan] Passthrough Connection

Christian Hanster christian-hanster at gmx.de
Fri Sep 4 20:03:26 CEST 2015


So what’s that a MAST stack? Can you explain it to me? 

Thanks :)
> On 04 Sep 2015, at 19:54, Randy Wyatt <rwwyatt01 at gmail.com> wrote:
> 
> Isn't there a problem that you are adding overlapping routes?  10.1.0.0/16 <http://10.1.0.0/16> covers 10.1.13.0/24 <http://10.1.13.0/24>.  I think you need a MAST stack for this.
> 
> On Fri, Sep 4, 2015 at 10:51 AM, Christian Hanster <christian-hanster at gmx.de <mailto:christian-hanster at gmx.de>> wrote:
> Hello Noel,
> 
> the arping is working: 
> arping -I p5p1 -D 10.1.13.100
> ARPING 10.1.13.100 from 0.0.0.0 p5p1
> Unicast reply from 10.1.13.100 [00:25:4B:CD:F4:64]  0.984ms
> Sent 1 probes (1 broadcast(s))
> Received 1 response(s)
> 
> In the meantime I have completely reinstalled the Gateway with a fresh Ubuntu 14.04. That did not solve the problem. Than I changed the log level  of charon and there is something really strange: 
> 
>  received stroke: add connection 'passthrough'
> Sep  4 19:38:55 pceapu-2 charon: 08[CFG] left nor right host is our side, assuming left=local
> Sep  4 19:38:55 pceapu-2 charon: 08[CFG] added configuration 'passthrough'
> Sep  4 19:38:55 pceapu-2 charon: 10[CFG] received stroke: route 'passthrough'
> Sep  4 19:38:55 pceapu-2 charon: 10[KNL] adding policy 10.1.13.0/24 <http://10.1.13.0/24> === 10.1.13.0/24 <http://10.1.13.0/24> out  (mark 0/0x00000000)
> Sep  4 19:38:55 pceapu-2 charon: 10[KNL] adding policy 10.1.13.0/24 <http://10.1.13.0/24> === 10.1.13.0/24 <http://10.1.13.0/24> in  (mark 0/0x00000000)
> Sep  4 19:38:55 pceapu-2 charon: 10[KNL] adding policy 10.1.13.0/24 <http://10.1.13.0/24> === 10.1.13.0/24 <http://10.1.13.0/24> fwd  (mark 0/0x00000000)
> Sep  4 19:38:55 pceapu-2 charon: 10[KNL] getting a local address in traffic selector 10.1.13.0/24 <http://10.1.13.0/24>
> Sep  4 19:38:55 pceapu-2 charon: 10[KNL] using host 10.1.13.1
> Sep  4 19:38:55 pceapu-2 charon: 10[KNL] using 192.168.1.1 as nexthop to reach %any
> Sep  4 19:38:55 pceapu-2 charon: 10[KNL] 10.1.13.1 is on interface p5p1
> Sep  4 19:38:55 pceapu-2 charon: 10[KNL] installing route: 10.1.13.0/24 <http://10.1.13.0/24> via 192.168.1.1 src 10.1.13.1 dev p5p1
> Sep  4 19:38:55 pceapu-2 charon: 10[KNL] getting iface index for p5p1
> Sep  4 19:38:55 pceapu-2 charon: 10[KNL] received netlink error: Network is unreachable (101)
> Sep  4 19:38:55 pceapu-2 charon: 10[KNL] unable to install source route for 10.1.13.1
> 
> For me it seems like a bug that Strongswan wants to add a route with a next hop in a passthrough connection. At the moment I’m not completely but it seems to produce the error because this route does not makes in my eyes any sense as 192.168.1.1 is reachable via p4p1 interface. 
> 
> Kind regards
> Christian Hanster
>> On 04 Sep 2015, at 19:35, Noel Kuntze <noel at familie-kuntze.de <mailto:noel at familie-kuntze.de>> wrote:
>> 
>> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>> 
>> Sorry, meant ARP, not DPD.
>> arping -I eth0 -D <IP>
>> 
>> - -- 
>> 
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>> 
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>> 
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>> 
>> iQIcBAEBCAAGBQJV6dZHAAoJEDg5KY9j7GZY2/4P+wQsKYoPaYesMCkTGzvlmy4O
>> R4Hq7TLsVekuBakLxxptrt3IE8T2XvTaV2wp16qtIul45SGwHH+34W3RD0IeQJEf
>> 8jc3kmuxdeszi9xVxo4HUDf72aBtZOos1v6Wt8UT30Syf2IBLPD1tdSUdlVIrX5X
>> 5EVG0/AukWHf0aAZXHi41V6H7wBd6UTd1P9i828OFzYx/4Nz06OK7RR2qV1jPP/g
>> 6Bgap0BnfxIc47Hs8CEZWtEMVQaCWfzCSEFAjsyymVNUZVnh2Tt4xRDJPPqoGGmQ
>> yoailqdIspZ3AeYmYzcC85/nRCKrjmdTcFXaJ5crEYQ9frjzcIQJ/f+qHLy5d9+J
>> 7JLVoEnFPBr2KwUqSJWlt0PhOwfnd4N5D3X5buwNl6+rBpfjgAjKZTvHWMeBc3IB
>> OJ2V+0TWb1J+5C2wJaH70MhK6QE5hXFNfg7hGmpGOIGybFksJ2hmnZtN2iuudKaH
>> sHapGdwMMQg3noVJPiZ7jDRVQM4sSuW/7TlrxGLOi+ghLFH9HL8zdQYSU1NmQSC8
>> v15QmJ+1LMBB/x6gct7yZRci8NtA6fjxK3tMMi9ocqeMES4ix1TA25eFrN+V9mtP
>> 4K8SM3CJVf3cXTZK+99T9tnq2/raCsw5X57WXxjSZTGh/+F8k4O3pK8w16FJXfvM
>> b2+VSGM+vzncYRH7QZFw
>> =PFQz
>> -----END PGP SIGNATURE-----
>> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org <mailto:Users at lists.strongswan.org>
> https://lists.strongswan.org/mailman/listinfo/users <https://lists.strongswan.org/mailman/listinfo/users>
> 
> 
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150904/4f020e43/attachment-0001.html>


More information about the Users mailing list