[strongSwan] pools attrs

Volodymyr Litovka doka at funlab.cc
Thu Apr 8 11:25:24 CEST 2021 

In general, what I need to get. I'm trying to build kind of mesh 
topology, where every host can be both client and server at the same 
time for different connections (it can accept connections and place 
connections to another hosts). Routing is OSPF-based and in order to run 
OSPF over tunnels, I need to specify an addressing on interface like the 
following statement -

$ ip addr add ${PLUTO_MY_SOURCEIP} peer ${PLUTO_PEER_SOURCEIP} dev 
xfrm${PLUTO_IF_ID_IN}

- while on the server side I have both server peer address (I just know 
it) and client peer address (PLUTO_PEER_SOURCEIP),
- the issue is on the client side: it has only PLUTO_MY_SOURCEIP and no 
ideas which is PLUTO_PEER_SOURCEIP

What I want is to use any of the available attribute in pools definition 
(e.g. "server") to signal on remote side server's peer address.

I managed to work over "dns" attribute (enabling dns_handler in 
updown.conf, while keeping resolve.conf disabled) but DNS is widely used 
attributed and this trick can be unapplicable in most situations.

So the question is - how to get e.g. "server" attribute in PLUTO_* 
variables?

On 08.04.2021 01:20, Volodymyr Litovka wrote:
>
> Hi colleagues,
>
> are there any ways to get remote side attributes, specified in "pools" 
> section, like:
>
> pools {
>          s1-pool {
>                  addrs = 25.0.0.2-25.0.1.255
>                  netmask = "255.255.254.0"
>          }
> }
>
> at the moment, my updown script on the client shows the following ones 
> upon launch:
>
> updown: PLUTO_PEER_ID=s1
> updown: PLUTO_ME=10.1.2.10
> updown: PLUTO_IF_ID_OUT=10
> updown: PLUTO_PEER_CLIENT=0.0.0.0/0
> updown: PLUTO_IF_ID_IN=10
> updown: PLUTO_VERSION=1.1
> updown: PLUTO_REQID=1
> updown: PLUTO_MY_PORT=0
> updown: PLUTO_MY_PROTOCOL=0
> updown: PLUTO_PEER_PORT=0
> updown: PLUTO_MY_SOURCEIP4_1=25.0.0.2
> updown: PLUTO_CONNECTION=s2
> updown: PLUTO_PEER_PROTOCOL=0
> updown: PLUTO_MY_CLIENT=0.0.0.0/0
> updown: PLUTO_MY_ID=s2
> updown: PLUTO_PEER=10.1.1.10
> updown: PLUTO_VERB=up-client
> updown: PLUTO_INTERFACE=eth0
> updown: PLUTO_UNIQUEID=1
> updown: PLUTO_MY_SOURCEIP=25.0.0.2
> updown: PLUTO_PROTO=esp
> updown: PLUTO_UDP_ENC=4500
>
> and there is no information on 'netmask' which is specified on the server.
>
> Thank you.
>
> -- 
> Volodymyr Litovka
>    "Vision without Execution is Hallucination." -- Thomas Edison

-- 
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210408/9f989ef8/attachment.html>

More information about the Users mailing list