[strongSwan] Problem when using a VIP in "left" setting.

Michael O'Dowd modowd at kuantic.com
Tue Jan 12 13:39:15 CET 2016


Note: below I use the term "VIP". By this, I mean the IP address 
associated with a Linux virtual network interface, like eth1:0. I want 
to avoid confusion with the strongSwan concept of "Virtual IP".

I have configured strongSwan so that the "left" conn parameter refers to 
a VIP. This VIP is the IP address of a virtual network interface 
(eth1:0). It is flagged "secondary" by the kernel, since it's in the 
same subnet as the primary IP address on that interface (eth1).

I won't go into the details of why I do this, but suffice it to say that 
I use strongSwan in conjunction with pacemaker to provide active/passive 
redundancy and this requires the use of a VIP.

So the host has two IP addresses on its ethernet interface: the primary 
IP address (on eth1) and the VIP (on eth1:0). They're both in the same 


Up to and including Fedora 21, my strongSwan configuration worked 
correctly. However, since I upgraded to Fedora 23, strongSwan can no 
longer establish connections with it's IPsec peer.

After running wireshark, I discovered that outgoing strongSwan packets 
have the wrong source IP address. They're using the primary IP address 
instead of the VIP, despite the fact that the "left" setting indicates 
the VIP.

I then added debugging to iptables (-j LOG), in both the OUTPUT and 
POSTROUTING chains and confirmed this fact. The packets are sent using 
the primary IP address instead of the VIP.

However, when I activate strongSwan debugging, the [NET] output 
indicates that the packets are sent using the correct IP address (VIP).

So, somewhere between the "[NET] sending packet" debug output in 
strongSwan and the OUTPUT chain of iptables, the source IP address has 
been changed from the VIP to the primary IP address.

There are no SNAT rules in my iptables. I'm not using firewalld.

I'm totally confused. Does anyone understand what's going on? Why is the 
source IP address being modified?

   This works under Fedora 21: Linux strongSwan 
   This fails under Fedora 23: Linux strongSwan 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160112/a39c21f1/attachment.html>

More information about the Users mailing list