[strongSwan] solution to kernel_libipsec no local address found problem

[Simon Chan]

Hi List,

- strongswan version 5.5.3
- I have to use kernel_libipsec (because of Openssl FIPS validated crypto).
- Must support local traffic selector does not include any local IP addr.

Expand on the last bullet:
- Peer's IP addr is 192.168.0.2, remote traffic selector 172.16.0.0/24
- My node has only 1 interface (not counting ipsec0). IP addr is 192.168.0.1
- Local traffic selector 10.1.1.0/24
- My node has static route 10.1.1.0/24 via 192.168.0.254, which is a router.
- Router 192.168.0.254 has static route for 172.16.0.0/24 via my node.

When try to bring up tunnel, I get this log:
- charon: 12[KNL] getting a local address in traffic selector 10.1.1.0/24
- charon: 12[KNL] no local address found in traffic selector 10.1.1.0/24
- charon: 12[KNL] error installing route with policy 10.1.1.0/24 ===
172.16.0.0/24
- charon: 12[IKE] unable to install IPsec policies (SPD) in kernel
- charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA

Is there any way to workaround this no local address problem?

I tried cheating in kernel_libipsec_ipsec.c
Ignore the failure from get_address_by_ts() and make up local address by:
src_ip = host_create_from_string("192.168.0.1", 0);

It does fool kernel_libipsec to install this route:
172.16.0.0/24 dev ipsec0 proto static src 192.168.0.1

But the route does not capture any packets into ipsec0.
So end up the tunnel only work one way, from peer to my node to 10.1.1.0/24
network.
Return packets from 10.1.1.0/24 network stop at my node, cannot get back to
peer.

Lastly, in some setup I may have a second interface like 192.168.2.1 and
corresponding router 192.168.2.254.
Then the solution need to be smart enough to pick interface 1 or 2.

Kind regards
Simon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190821/48876dea/attachment.html>