[Swan-dev] xauth and proxy arp

Wolfgang Nothdurft wolfgang at linogate.de
Wed Apr 29 11:58:53 EEST 2015

Am 28.04.2015 um 13:23 schrieb Tuomo Soini:
> On Wed, 05 Nov 2014 17:47:59 +0100
> Wolfgang Nothdurft <wolfgang at linogate.de> wrote:
>> When using modecfg to assign a local ip address to a xauth client,
>> you have the problem that you can't access local machines, because of
>> the missing arp answer.
>> Maybe I missed something, but I don't found any info, how to solve
>> this scenario.
>> So I added a function to _updown.klips.
>> It checks if the ip address of the peer is local routed and if so
>> adds a proxy arp entry.
>> The check must be done before the eroute is set, otherwise you get
>> the ipsec device.
>> I don't know, if netkey has the same problem.
>> One thing todo is maybe to call this function only with xauth
>> connections.
> Wolfgang, could you test this modified patch, I converted it to use
> iproute2 instead of legacy arp command. But you have ready test
> setup so I'd like to hear your comments before we apply this and try to
> create a test case. Another question is: you used

This worked, but I added an extra Test for empty mac addresses (non 
ethernet devices).

For example if your default route points to ppp0.

I found no way to catch this with the ip route get command itself.

 > ${PLUTO_PEER_CLIENT_NET} - shouldn't that be ${PLUTO_PEER}?

The proxy arp entry is for the local address the client gets.

When your local net is and the client for example gets an 
ip adress from this range, you need a proxy arp entry to communicate 
with other local clients.

The script check if the client ip is routable on local ethernet devices 
and add a proxy arp entry.

Normally this is PLUTO_PEER_CLIENT, but PLUTO_PEER_CLIENT_NET has the 
correct ip without /32 mask.

-------------- next part --------------
diff --git a/programs/_updown.klips/_updown.klips.in b/programs/_updown.klips/_updown.klips.in
index 7f18298..1c85e47 100644
--- a/programs/_updown.klips/_updown.klips.in
+++ b/programs/_updown.klips/_updown.klips.in
@@ -176,6 +176,7 @@ esac
 # utility functions for route manipulation
 # Meddling with this stuff should not be necessary and requires great care.
 uproute() {
+    doproxyarp add
     doroute add
     ip route flush cache
@@ -183,6 +184,7 @@ uproute() {
 downroute() {
     doroute delete
     ip route flush cache
+    doproxyarp delete
 uprule() {
@@ -450,6 +452,22 @@ dorule() {
     return ${st}
+doproxyarp() {
+    # check if client is routeable local
+    if ip -o route get ${PLUTO_PEER_CLIENT_NET} | grep -qs -v via; then
+	iface=$(ip -o route get ${PLUTO_PEER_CLIENT_NET} | awk '{print $3}')
+	macaddr=$(cat /sys/class/net/${iface}/address)
+	# add/remove arp entry for the client on ethernet devices only
+	if [ "${macaddr}" ]; then
+	    if [ $1 == "add" ]; then
+		ip neigh add proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface} \
+		    lladdr ${macaddr} nud permanent
+	    else
+		ip neigh del proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface}
+	    fi
+	fi
+    fi
 doroute() {

More information about the Swan-dev mailing list