[Swan-dev] xauth and proxy arp

Tuomo Soini tis at foobar.fi
Tue Apr 28 14:23:23 EEST 2015

On Wed, 05 Nov 2014 17:47:59 +0100
Wolfgang Nothdurft <wolfgang at linogate.de> wrote:

> When using modecfg to assign a local ip address to a xauth client,
> you have the problem that you can't access local machines, because of
> the missing arp answer.
> Maybe I missed something, but I don't found any info, how to solve
> this scenario.
> So I added a function to _updown.klips.
> It checks if the ip address of the peer is local routed and if so
> adds a proxy arp entry.
> The check must be done before the eroute is set, otherwise you get
> the ipsec device.
> I don't know, if netkey has the same problem.
> One thing todo is maybe to call this function only with xauth
> connections.

Wolfgang, could you test this modified patch, I converted it to use
iproute2 instead of legacy arp command. But you have ready test
setup so I'd like to hear your comments before we apply this and try to
create a test case. Another question is: you used
${PLUTO_PEER_CLIENT_NET} - shouldn't that be ${PLUTO_PEER}?

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libreswan-add-proxy-arp-iproute.diff
Type: text/x-patch
Size: 1249 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20150428/822a7032/attachment.bin>

More information about the Swan-dev mailing list