[Swan-dev] xauth and proxy arp

Paul Wouters paul at nohats.ca
Wed Nov 5 19:13:29 EET 2014

On Wed, 5 Nov 2014, Wolfgang Nothdurft wrote:

> When using modecfg to assign a local ip address to a xauth client, you have 
> the problem that you can't access local machines, because of the missing arp 
> answer.
> Maybe I missed something, but I don't found any info, how to solve this 
> scenario.
> So I added a function to _updown.klips.
> It checks if the ip address of the peer is local routed and if so adds a 
> proxy arp entry.
> The check must be done before the eroute is set, otherwise you get the ipsec 
> device.
> I don't know, if netkey has the same problem.

Thanks for the patch! We'll look at it and create test cases and pull it

> One thing todo is maybe to call this function only with xauth connections.

I wouldn't do that because for IKEv2 with addresspool, we would also
want this.


More information about the Swan-dev mailing list