[strongSwan] [EDIT] Traffic selection problems
Brian Topping
brian.topping at gmail.com
Mon Mar 4 14:29:11 CET 2019
Hi all, Is there anyone familiar enough with the source to confirm or correct me on this premise below? It still seems to me that the addresses presented by the updown plugin for PLUTO_MY_SOURCEIP are only those from ike_sa_t->my_vips and unless the responder is able to somehow get addresses in there, the script will always have insufficient information to generate the tunnel on the responder side.
> On Mar 2, 2019, at 3:08 PM, Brian Topping <brian.topping at gmail.com> wrote:
>
> Thanks Felipe! I had checked that out in the past and there are no values that are set that could be used in in the script for the same effect (the static side tunnel endpoint address).
>
> There are two things I am wondering at this point:
>
> Getting this working probably has something to do with the code in https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ike_sa.c;h=3d576a0e89a67b6e76e636ed744e88bdbec3a551;hb=HEAD#l948-979 <https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ike_sa.c;h=3d576a0e89a67b6e76e636ed744e88bdbec3a551;hb=HEAD#l948-979>. As I have seen an error where “site-1-static-ip has both left- and rightsourceip, but IKE can negotiate one virtual IP only, ignoring local virtual IP”, I clearly need to specify the leftsourceip on the static side. But the IP is no longer virtual in that case. And when it is no longer virtual, the code at https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/plugins/updown/updown_listener.c;h=bbefd6a027ceca473da327939da2f70aced887c6;hb=HEAD#l182 <https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/plugins/updown/updown_listener.c;h=bbefd6a027ceca473da327939da2f70aced887c6;hb=HEAD#l182> never finds it.
> Alternatively, maybe I should drop this idea of using Strongswan setting up VTIs. Maybe Bird can deal with tunnels that do not have VTIs and I just don’t understand that construction.
>
> I am worried that I will also lose future compatibility with VTI-capable routers (like Cisco et al) if I go with #2. I don’t have any present need for doing so, but if I did, converting everything would be a lot of tears.
>
> It seems like what I am trying to do in #1 is not possible given that addresses pushed through the updown plugin can only read from IPs found in ike_sa_t->my_vips.
>
> Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190304/451c5efd/attachment.html>
More information about the Users
mailing list