[strongSwan] auto=route with virtual IPs
Alexander Hill
alex at hill.net.au
Thu Oct 27 18:29:05 CEST 2016
Hi Noel,
Thanks for the suggestion, I tried that. If I remove the leftsubnet
directive from the client config, I get a route with src explicitly set to
my interface's real IP, which has the same effect. I also tried setting it
to the virtual IP pool, and the current virtual IP under lease, to no
avail. I'll double check tomorrow but I think one or both of those resulted
in no route being added at all.
It seems to me like the correct route can only be added at connection time,
because it needs the virtual IP that might not have been assigned yet, but
the sans-src route is necessary before then to make the trap work. So the
route needs to be replaced when a connection is established, but I can't
work out how to make strongswan do that.
Any other ideas of how to make this work? I know updown.sh is there as a
last resort but I'm hoping to stick to simple configuration.
Thanks,
Alex
On Thu, 27 Oct 2016 at 23:49 Noel Kuntze <noel at familie-kuntze.de> wrote:
> >
> > 172.16.0.0/16 via 192.168.1.254 dev eth0 proto static src 172.16.0.3
> >
> > However if I use auto=route (or run ipsec route and then ipsec up), my
> table 220 looks like this:
> >
> > 172.16.0.0/16 via 192.168.1.254 dev eth0 proto static
>
>
> As I wrote on IRC, that's because of this setting on the client.
> > leftsubnet=0.0.0.0/0
> Remove it.
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161027/ded4e9ee/attachment.html>
More information about the Users
mailing list