[strongSwan] remote_ts to catch in 'updown' - how?

lejeczek peljasz at yahoo.co.uk
Sat Jun 27 00:24:22 CEST 2020



On 25/06/2020 08:50, Tobias Brunner wrote:
> Hi,
>
>> But I see it appear only once with the latter IP/net.
> Then you either use IKEv1, or your peer narrowed the traffic selectors
> (due to its configuration or maybe because it only supports a single TS
> per CHILD_SA), check the log for details.
>
> Regards,
> Tobias
Could it be buggy Strongswan, the version I have?

$ swanctl --list-conn
muni: IKEv2, no reauthentication, rekeying every 14400s
  local:  %any
  remote:....
....
  muni: TUNNEL, rekeying every 3600s
    local:  dynamic
    remote: 10.5.4.204/32 172.16.0.0/12

And my 'updown':
----
set -o nounset
set -o errexit

VTI_IF="vti${PLUTO_UNIQUEID}"

_vtiLog="/var/log/vti-iface.log"
_serverClient=${1}
_myLocalIP=$(hostname -i)

echo -ne "\n----RUN\n${VTI_IF} - ${PLUTO_VERB}\n" >> ${_vtiLog}

case "${PLUTO_VERB}" in
  up-client)
    ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
"${PLUTO_PEER}" mode vti key "${PLUTO_MARK_OUT%%/*}"
    echo ip tunnel add "${VTI_IF}" local "${PLUTO_ME}"
remote "${PLUTO_PEER}" mode vti key "${PLUTO_MARK_OUT%%/*}"
>> ${_vtiLog}
    ip link set "${VTI_IF}" mtu 1400 up >> ${_vtiLog}
    echo ip link set "${VTI_IF}" mtu 1400 up >> ${_vtiLog}
>> ${_vtiLog}
    if [ ${_serverClient} = "roadwarrior" ]; then
      ip addr add "${PLUTO_MY_SOURCEIP}" dev "${VTI_IF}"
      echo ip route add "${PLUTO_PEER_CLIENT}" dev
"${VTI_IF}" >> ${_vtiLog}
      ip route add "${PLUTO_PEER_CLIENT}" dev "${VTI_IF}"
      firewall-cmd --zone=strongswan --add-interface="${VTI_IF}"
    elif [ ${_serverClient} = "server" ]; then
      ip route add "${PLUTO_PEER_SOURCEIP}" dev "${VTI_IF}"
src ${_myLocalIP}
      echo ip route add "${PLUTO_PEER_SOURCEIP}" dev
"${VTI_IF}" src ${_myLocalIP} >> ${_vtiLog}
    fi
    sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
    echo sysctl -w
"net.ipv4.conf.${VTI_IF}.disable_policy=1" >> ${_vtiLog}
  ;;
  down-client)
    ip tunnel del "${VTI_IF}"
    echo ip tunnel del "${VTI_IF}" >> ${_vtiLog}
    firewall-cmd --zone=strongswan
--remove-interface="${VTI_IF}"
  ;;
esac
----

And the log's content:

----RUN
vti2 - up-client
ip tunnel add vti2 local _IPa remote _IPb mode vti key 12
ip link set vti2 mtu 1400 up
ip addr add 172.16.32.59 dev vti2
ip route add 10.5.4.204/32 dev vti2
sysctl -w net.ipv4.conf.vti2.disable_policy=1

----RUN
vti2 - up-client
(here I'd expect something but it's where the file ends)


ps. One thing I should mention with I realize seems odd:
10.5.4.204/32 - in reality is a public IP and in swanctl
conf no matter how I put it:
...
remote_ts = "10.5.4.204/32,172.16.0.0/12"
or
remote_ts = "172.16.0.0/12,10.5.4.204/32"

I always get that "public IP" only, whereas before I thought
I got it only when it was specified as last one in the pack.

thanks, L



More information about the Users mailing list