[strongSwan] remote_ts to catch in 'updown' - how?

lejeczek peljasz at yahoo.co.uk
Sat Jun 27 00:24:22 CEST 2020

On 25/06/2020 08:50, Tobias Brunner wrote:
> Hi,
>> But I see it appear only once with the latter IP/net.
> Then you either use IKEv1, or your peer narrowed the traffic selectors
> (due to its configuration or maybe because it only supports a single TS
> per CHILD_SA), check the log for details.
> Regards,
> Tobias
Could it be buggy Strongswan, the version I have?

$ swanctl --list-conn
muni: IKEv2, no reauthentication, rekeying every 14400s
  local:  %any
  muni: TUNNEL, rekeying every 3600s
    local:  dynamic

And my 'updown':
set -o nounset
set -o errexit


_myLocalIP=$(hostname -i)

echo -ne "\n----RUN\n${VTI_IF} - ${PLUTO_VERB}\n" >> ${_vtiLog}

case "${PLUTO_VERB}" in
    ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
"${PLUTO_PEER}" mode vti key "${PLUTO_MARK_OUT%%/*}"
    echo ip tunnel add "${VTI_IF}" local "${PLUTO_ME}"
remote "${PLUTO_PEER}" mode vti key "${PLUTO_MARK_OUT%%/*}"
>> ${_vtiLog}
    ip link set "${VTI_IF}" mtu 1400 up >> ${_vtiLog}
    echo ip link set "${VTI_IF}" mtu 1400 up >> ${_vtiLog}
>> ${_vtiLog}
    if [ ${_serverClient} = "roadwarrior" ]; then
      ip addr add "${PLUTO_MY_SOURCEIP}" dev "${VTI_IF}"
      echo ip route add "${PLUTO_PEER_CLIENT}" dev
"${VTI_IF}" >> ${_vtiLog}
      ip route add "${PLUTO_PEER_CLIENT}" dev "${VTI_IF}"
      firewall-cmd --zone=strongswan --add-interface="${VTI_IF}"
    elif [ ${_serverClient} = "server" ]; then
      ip route add "${PLUTO_PEER_SOURCEIP}" dev "${VTI_IF}"
src ${_myLocalIP}
      echo ip route add "${PLUTO_PEER_SOURCEIP}" dev
"${VTI_IF}" src ${_myLocalIP} >> ${_vtiLog}
    sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
    echo sysctl -w
"net.ipv4.conf.${VTI_IF}.disable_policy=1" >> ${_vtiLog}
    ip tunnel del "${VTI_IF}"
    echo ip tunnel del "${VTI_IF}" >> ${_vtiLog}
    firewall-cmd --zone=strongswan

And the log's content:

vti2 - up-client
ip tunnel add vti2 local _IPa remote _IPb mode vti key 12
ip link set vti2 mtu 1400 up
ip addr add dev vti2
ip route add dev vti2
sysctl -w net.ipv4.conf.vti2.disable_policy=1

vti2 - up-client
(here I'd expect something but it's where the file ends)

ps. One thing I should mention with I realize seems odd: - in reality is a public IP and in swanctl
conf no matter how I put it:
remote_ts = ","
remote_ts = ","

I always get that "public IP" only, whereas before I thought
I got it only when it was specified as last one in the pack.

thanks, L

More information about the Users mailing list