[strongSwan] Problem when using a VIP in "left" setting.
modowd at kuantic.com
Tue Jan 12 13:39:15 CET 2016
Note: below I use the term "VIP". By this, I mean the IP address
associated with a Linux virtual network interface, like eth1:0. I want
to avoid confusion with the strongSwan concept of "Virtual IP".
I have configured strongSwan so that the "left" conn parameter refers to
a VIP. This VIP is the IP address of a virtual network interface
(eth1:0). It is flagged "secondary" by the kernel, since it's in the
same subnet as the primary IP address on that interface (eth1).
I won't go into the details of why I do this, but suffice it to say that
I use strongSwan in conjunction with pacemaker to provide active/passive
redundancy and this requires the use of a VIP.
So the host has two IP addresses on its ethernet interface: the primary
IP address (on eth1) and the VIP (on eth1:0). They're both in the same
Up to and including Fedora 21, my strongSwan configuration worked
correctly. However, since I upgraded to Fedora 23, strongSwan can no
longer establish connections with it's IPsec peer.
After running wireshark, I discovered that outgoing strongSwan packets
have the wrong source IP address. They're using the primary IP address
instead of the VIP, despite the fact that the "left" setting indicates
I then added debugging to iptables (-j LOG), in both the OUTPUT and
POSTROUTING chains and confirmed this fact. The packets are sent using
the primary IP address instead of the VIP.
However, when I activate strongSwan debugging, the [NET] output
indicates that the packets are sent using the correct IP address (VIP).
So, somewhere between the "[NET] sending packet" debug output in
strongSwan and the OUTPUT chain of iptables, the source IP address has
been changed from the VIP to the primary IP address.
There are no SNAT rules in my iptables. I'm not using firewalld.
I'm totally confused. Does anyone understand what's going on? Why is the
source IP address being modified?
This works under Fedora 21: Linux strongSwan
This fails under Fedora 23: Linux strongSwan
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users