[Swan-dev] xauth and proxy arp
Wolfgang Nothdurft
wolfgang at linogate.de
Wed Apr 29 15:00:49 EEST 2015
Am 29.04.2015 um 12:45 schrieb Tuomo Soini:
> On Wed, 29 Apr 2015 10:58:53 +0200
> Wolfgang Nothdurft <wolfgang at linogate.de> wrote:
>
>> The proxy arp entry is for the local address the client gets.
> Ok. I misunderstood your user case.
>
> I think this is too complicated solution for the problem.
>
> Simple one is to enable sysctl option for proxy_arp for lan interface
> if you use pool which is part of lan network.
>
> If you have eth1 as lan network interface you could do:
>
> sysctl -w net.ipv4.conf.eth1.proxy_arp=1
>
> When this is activated, kernel does automatically proxy arp on eth1 if
> there is more specific route on different interface.
>
>> When your local net is 192.186.0.0/24 and the client for example gets
>> an ip adress from this range, you need a proxy arp entry to
>> communicate with other local clients.
> Exactly.
>
>> The script check if the client ip is routable on local ethernet
>> devices and add a proxy arp entry.
>>
>> Normally this is PLUTO_PEER_CLIENT, but PLUTO_PEER_CLIENT_NET has the
>> correct ip without /32 mask.
> This way to do proxyarp I described works for cases where you have
> 192.168.0.32/27 behind eth2 and 192.168.0.0/24 behind eth1. Packets
> from 192.168.0.32/27 hosts use default route to 192.168.0.0/24 and eth1
> automatic proxyarp causes router to answer with proxy arp causing
> response packets to work or rest of 192.168.0.0/24. Note, with this
> setup 192.168.0.32/27 can't be used in 192.168.0.0/24 network. This
> proxyarp based subnetting is called variable lenght net masks (VLNM) on
> some documents.
>
> Could you try with this, I'm sure this is better solution than hacking
> forced proxyarp to _updown.*
>
Sure this is the "easy configuration method" and will work.
But Enabling proxy arp for the whole lan has also security risks and
problems in complex networks. So it is no option for a firewall/vpn
appliance.
This is the reason I used this method to add the defined single ip to
the arp cache, only for this special case where someone want the same ip
no matter if he connects local from the lan or remote over vpn with his
laptop/phone.
Wolfgang
More information about the Swan-dev
mailing list