[strongSwan] Source IP in routing table
Hoggins!
hoggins at radiom.fr
Fri Dec 28 15:11:52 CET 2018
Hi Noel,
Here are all my routes (including the ones I manually set):
192.168.12.0/24 via <VPN GATEWAY> dev ppp0 table 220 proto static
src 192.168.22.10
192.168.33.0/24 via <VPN GATEWAY> dev ppp0 table 220 proto static
src 192.168.22.10
192.168.55.0/24 via <VPN GATEWAY> dev ppp0 table 220 proto static
src 192.168.22.10
192.168.66.0/24 via <VPN GATEWAY> dev ppp0 table 220 proto static
src 192.168.22.10
default dev ppp0 scope link
default via 192.168.1.1 dev eth0.11 metric 100
10.8.0.0/16 dev NEWDUDE scope link
10.12.0.1 dev NEWDUDE proto kernel scope link src 10.12.0.2
169.254.0.0/16 dev eth0 scope link metric 1003
169.254.0.0/16 dev eth0.10 scope link metric 1007
169.254.0.0/16 dev eth0.100 scope link metric 1008
169.254.0.0/16 dev eth0.11 scope link metric 1009
169.254.0.0/16 dev eth0.12 scope link metric 1010
169.254.0.0/16 dev eth0.13 scope link metric 1011
169.254.0.0/16 dev eth0.14 scope link metric 1012
169.254.0.0/16 dev eth0.835 scope link metric 1014
169.254.0.0/16 dev eth0.9 scope link metric 1015
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.254
192.168.1.0/24 dev eth0.11 proto kernel scope link src 192.168.1.72
192.168.22.0/24 dev eth0.100 proto kernel scope link src
192.168.22.10
192.168.34.0/24 dev eth0 proto kernel scope link src 192.168.34.10
192.168.35.0/24 dev eth0.10 proto kernel scope link src
192.168.35.10
192.168.36.0/24 dev eth0.12 proto kernel scope link src
192.168.36.10
192.168.37.0/24 dev eth0.13 proto kernel scope link src
192.168.37.10
192.168.38.0/24 dev eth0.14 proto kernel scope link src
192.168.38.10
192.168.39.0/24 dev eth0.9 proto kernel scope link src 192.168.39.10
<PPP Gateway IP> dev ppp0 proto kernel scope link src <PPP IP>
224.2.127.254 dev eth0.11 scope link
227.65.43.21 dev eth0.11 scope link
227.65.43.22 dev eth0.11 scope link
227.65.43.23 dev eth0.11 scope link
local 10.12.0.2 dev NEWDUDE table local proto kernel scope host
src 10.12.0.2
local <PPP IP> dev ppp0 table local proto kernel scope host src
<PPP IP>
broadcast 127.0.0.0 dev lo table local proto kernel scope link
src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src
127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src
127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope
link src 127.0.0.1
broadcast 192.168.0.0 dev eth0 table local proto kernel scope
link src 192.168.0.254
local 192.168.0.254 dev eth0 table local proto kernel scope host
src 192.168.0.254
broadcast 192.168.0.255 dev eth0 table local proto kernel scope
link src 192.168.0.254
broadcast 192.168.1.0 dev eth0.11 table local proto kernel scope
link src 192.168.1.72
local 192.168.1.72 dev eth0.11 table local proto kernel scope
host src 192.168.1.72
broadcast 192.168.1.255 dev eth0.11 table local proto kernel
scope link src 192.168.1.72
broadcast 192.168.22.0 dev eth0.100 table local proto kernel
scope link src 192.168.22.10
local 192.168.22.10 dev eth0.100 table local proto kernel scope
host src 192.168.22.10
broadcast 192.168.22.255 dev eth0.100 table local proto kernel
scope link src 192.168.22.10
broadcast 192.168.34.0 dev eth0 table local proto kernel scope
link src 192.168.34.10
local 192.168.34.10 dev eth0 table local proto kernel scope host
src 192.168.34.10
broadcast 192.168.34.255 dev eth0 table local proto kernel scope
link src 192.168.34.10
broadcast 192.168.35.0 dev eth0.10 table local proto kernel scope
link src 192.168.35.10
local 192.168.35.10 dev eth0.10 table local proto kernel scope
host src 192.168.35.10
broadcast 192.168.35.255 dev eth0.10 table local proto kernel
scope link src 192.168.35.10
broadcast 192.168.36.0 dev eth0.12 table local proto kernel scope
link src 192.168.36.10
local 192.168.36.10 dev eth0.12 table local proto kernel scope
host src 192.168.36.10
broadcast 192.168.36.255 dev eth0.12 table local proto kernel
scope link src 192.168.36.10
broadcast 192.168.37.0 dev eth0.13 table local proto kernel scope
link src 192.168.37.10
local 192.168.37.10 dev eth0.13 table local proto kernel scope
host src 192.168.37.10
broadcast 192.168.37.255 dev eth0.13 table local proto kernel
scope link src 192.168.37.10
broadcast 192.168.38.0 dev eth0.14 table local proto kernel scope
link src 192.168.38.10
local 192.168.38.10 dev eth0.14 table local proto kernel scope
host src 192.168.38.10
broadcast 192.168.38.255 dev eth0.14 table local proto kernel
scope link src 192.168.38.10
broadcast 192.168.39.0 dev eth0.9 table local proto kernel scope
link src 192.168.39.10
local 192.168.39.10 dev eth0.9 table local proto kernel scope
host src 192.168.39.10
broadcast 192.168.39.255 dev eth0.9 table local proto kernel
scope link src 192.168.39.10
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101
local ::1 dev lo proto kernel metric 256
unreachable ::/96 dev lo metric 1024 error -113
unreachable ::ffff:0.0.0.0/96 dev lo metric 1024 error -113
unreachable 2002:a00::/24 dev lo metric 1024 error -113
unreachable 2002:7f00::/24 dev lo metric 1024 error -113
unreachable 2002:a9fe::/32 dev lo metric 1024 error -113
unreachable 2002:ac10::/28 dev lo metric 1024 error -113
unreachable 2002:c0a8::/32 dev lo metric 1024 error -113
unreachable 2002:e000::/19 dev lo metric 1024 error -113
unreachable 3ffe:ffff::/32 dev lo metric 1024 error -113
fe80::/64 dev NEWDUDE proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth0.10 proto kernel metric 256
fe80::/64 dev eth0.100 proto kernel metric 256
fe80::/64 dev eth0.11 proto kernel metric 256
fe80::/64 dev eth0.12 proto kernel metric 256
fe80::/64 dev eth0.13 proto kernel metric 256
fe80::/64 dev eth0.14 proto kernel metric 256
fe80::/64 dev eth0.200 proto kernel metric 256
fe80::/64 dev eth0.835 proto kernel metric 256
fe80::/64 dev eth0.9 proto kernel metric 256
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101
local ::1 dev lo table local proto none metric 0
local fe80::d63d:7eff:fe38:354e dev lo table local proto none
metric 0
local fe80::d63d:7eff:fe38:354e dev lo table local proto none
metric 0
local fe80::d63d:7eff:fe38:354e dev lo table local proto none
metric 0
local fe80::d63d:7eff:fe38:354e dev lo table local proto none
metric 0
local fe80::d63d:7eff:fe38:354e dev lo table local proto none
metric 0
local fe80::d63d:7eff:fe38:354e dev lo table local proto none
metric 0
local fe80::d63d:7eff:fe38:354e dev lo table local proto none
metric 0
local fe80::d63d:7eff:fe38:354e dev lo table local proto none
metric 0
local fe80::d63d:7eff:fe38:354e dev lo table local proto none
metric 0
local fe80::d63d:7eff:fe38:354e dev lo table local proto none
metric 0
ff00::/8 dev NEWDUDE table local metric 256
ff00::/8 dev eth0 table local metric 256
ff00::/8 dev eth0.10 table local metric 256
ff00::/8 dev eth0.100 table local metric 256
ff00::/8 dev eth0.11 table local metric 256
ff00::/8 dev eth0.12 table local metric 256
ff00::/8 dev eth0.13 table local metric 256
ff00::/8 dev eth0.14 table local metric 256
ff00::/8 dev eth0.200 table local metric 256
ff00::/8 dev eth0.835 table local metric 256
ff00::/8 dev eth0.9 table local metric 256
unreachable default dev lo table unspec proto kernel metric
4294967295 error -101
And my rules:
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default
Hoggins!
Le 28/12/2018 à 15:01, Noel Kuntze a écrit :
> Hello,
>
> strongSwan generally uses the routing table(s) for figuring out which srcip is legal.
>
> What's in your your routing tables and what are your routing rules?
> (`ip r show table all` and `ip ru`)
>
> Kind regards
>
> Noel
>
> Am 28.12.18 um 14:35 schrieb Hoggins!:
>> Well,
>>
>> I got away with setting install_routes to no and manually installing
>> them on startup.
>> I guess I could use a leftupdown script to get all this when the tunnel
>> is closed/reopened.
>>
>> Anyway that'd be nice to have some control over these routes when
>> install_routes is set to yes.
>>
>> Hoggins!
>>
>> Le 24/12/2018 à 23:07, Hoggins! a écrit :
>>> Hello list,
>>>
>>> I had a perfectly working setup that I built ontop of a machine that
>>> never rebooted for several months. Multiple interfaces, multiple IP
>>> addresses on the same machine, the default source address has always
>>> been 192.168.22.10 in routing table 220. After the last reboot, I found
>>> out that the routing table came different:
>>>
>>> ~# ip route show table 220
>>> 192.168.12.0/24 via X.X.X.X dev ppp0 proto static src 192.168.35.10
>>> 192.168.33.0/24 via X.X.X.X dev ppp0 proto static src 192.168.35.10
>>> 192.168.55.0/24 via X.X.X.X dev ppp0 proto static src 192.168.35.10
>>> 192.168.66.0/24 via X.X.X.X dev ppp0 proto static src 192.168.35.10
>>>
>>>
>>> Before, the 192.168.35.10 source address was 192.168.22.10 and
>>> everything was setup around this. To overcome this situation, my first
>>> solution was to SNAT a lot and it's working alright, but not for the SIP
>>> protocol for example, and I'm stuck there.
>>> So I was wondering if there was any kind of control over the source
>>> address in the routing table 220 that would allow me to set
>>> 192.168.22.10 back again.
>>>
>>> This 192.168.35.10 is not even the source address for the default
>>> gateway, so I really wonder why StrongSWAN choses this address as the
>>> source one. Any idea?
>>>
>>> Thanks!
>>>
>>> Hoggins!
>>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181228/33a4e628/attachment-0001.sig>
More information about the Users
mailing list