[strongSwan] [EDIT] Traffic selection problems

Brian Topping brian.topping at gmail.com
Sat Mar 2 07:22:48 CET 2019 

Hi Felipe,

That use of `left|rightsubnet` was a huge help.

In an effort to automate the address assignment for a larger network (same theme as the OSPF), I’ve been using the `leftupdown` script in https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Connection-specific-VTI-Devices <https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Connection-specific-VTI-Devices>. 

So I’ve updated it as shown:

> =============================
> Dynamic:
> conn site-2-dynamic-ip
	   mark=%unique
> 	left=%defaultroute
           leftsourceip=%config4
> 	leftsubnet=10.10.0.0/22,10.9.255.252/30 <http://10.10.0.0/22,10.9.255.252/30>
> 	leftfirewall=no
           leftupdown=/etc/strongswan.d/ipsec-vti.sh
           right=st.at.ic.ip
> 	rightsubnet=10.10.4.0/22,10.9.255.252/30 <http://10.10.4.0/22,10.9.255.252/30>
> 	rightid=%specific.example.com <http://specific.example.com/>
> 	auto=add
> 
> Static:
> conn site-1-static-ip
           mark=%unique
> 	left=st.at.ic.ip
> 	leftsubnet=10.10.4.0/22,10.9.255.252/30 <http://10.10.4.0/22,10.9.255.252/30>
> 	leftid=%specific.example.com <http://specific.example.com/>
> 	leftfirewall=no
           leftsourceip=10.9.255.253 
           leftupdown=/etc/strongswan/ipsec-vti.sh
> 	right=%any
           rightsourceip=10.9.255.254
> 	rightsubnet=10.10.0.0/22,10.9.255.252/30 <http://10.10.0.0/22,10.9.255.252/30>
> 	auto=add
> ===============================

With this configuration, I get full SA and IKE negotiation including TS and dynamic side tunnel configuration:

> root at dynamic:/# ip a show vti1
> 49: vti1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1472 qdisc noqueue state UNKNOWN group default qlen 1000
>     link/ipip dy.na.mi.cip peer st.at.ic.ip
>     inet 10.9.255.254/32 scope global vti1
>        valid_lft forever preferred_lft forever

On the static side, I get an error from the script:
> 04[CHD] updown: /etc/strongswan/ipsec-vti.sh: line 15: PLUTO_MY_SOURCEIP: unbound variable

I initially had the same problem on the dynamic side, but the addition of `leftsourceip=%config4` and `rightsourceip` on the static side resolved that.

Is there something I am missing to avoid the "PLUTO_MY_SOURCEIP: unbound variable” problem?

Thanks so much for your insight!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190301/b6f5ec16/attachment-0001.html>

More information about the Users mailing list