[strongSwan] [EDIT] Traffic selection problems

Felipe Arturo Polanco felipeapolanco at gmail.com
Sat Mar 2 16:22:33 CET 2019 

You can extract the env variables information by using the "set" command,
use a temporary updown script that has the following "set > /tmp/output",
after establishing the connection, check that output file both in initiator
and responder and see if the values are as expected, if they are, try to
reproduce the script by typing each command one by one in the console and
see its behavior.

Remember to disable the updown script in strongswan when running it
manually.

Sent from mobile.

On Sat, Mar 2, 2019, 2:22 AM Brian Topping <brian.topping at gmail.com> wrote:

> Hi Felipe,
>
> That use of `left|rightsubnet` was a huge help.
>
> In an effort to automate the address assignment for a larger network (same
> theme as the OSPF), I’ve been using the `leftupdown` script in
> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Connection-specific-VTI-Devices
> .
>
> So I’ve updated it as shown:
>
> =============================
> Dynamic:
> conn site-2-dynamic-ip
>
>    mark=%unique
>
> left=%defaultroute
>
>            leftsourceip=%config4
>
> leftsubnet=10.10.0.0/22,10.9.255.252/30
> leftfirewall=no
>
>            leftupdown=/etc/strongswan.d/ipsec-vti.sh
>            right=st.at.ic.ip
>
> rightsubnet=10.10.4.0/22,10.9.255.252/30
> rightid=%specific.example.com
> auto=add
>
> Static:
> conn site-1-static-ip
>
>            mark=%unique
>
> left=st.at.ic.ip
> leftsubnet=10.10.4.0/22,10.9.255.252/30
> leftid=%specific.example.com
> leftfirewall=no
>
>            leftsourceip=10.9.255.253
>            leftupdown=/etc/strongswan/ipsec-vti.sh
>
> right=%any
>
>            rightsourceip=10.9.255.254
>
> rightsubnet=10.10.0.0/22,10.9.255.252/30
> auto=add
> ===============================
>
>
> With this configuration, I get full SA and IKE negotiation including TS
> and dynamic side tunnel configuration:
>
> root at dynamic:/# ip a show vti1
> 49: vti1 at NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1472 qdisc noqueue
> state UNKNOWN group default qlen 1000
>     link/ipip dy.na.mi.cip peer st.at.ic.ip
>
>     inet 10.9.255.254/32 scope global vti1
>        valid_lft forever preferred_lft forever
>
>
> On the static side, I get an error from the script:
>
> 04[CHD] updown: /etc/strongswan/ipsec-vti.sh: line 15: PLUTO_MY_SOURCEIP:
> unbound variable
>
>
> I initially had the same problem on the dynamic side, but the addition of
> `leftsourceip=%config4` and `rightsourceip` on the static side resolved
> that.
>
> Is there something I am missing to avoid the "PLUTO_MY_SOURCEIP: unbound
> variable” problem?
>
> Thanks so much for your insight!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190302/029ba97f/attachment.html>

More information about the Users mailing list