[Swan-dev] xauth and proxy arp

Wolfgang Nothdurft wolfgang at linogate.de
Wed Apr 29 15:00:49 EEST 2015

Am 29.04.2015 um 12:45 schrieb Tuomo Soini:
> On Wed, 29 Apr 2015 10:58:53 +0200
> Wolfgang Nothdurft <wolfgang at linogate.de> wrote:
>> The proxy arp entry is for the local address the client gets.
> Ok. I misunderstood your user case.
> I think this is too complicated solution for the problem.
> Simple one is to enable sysctl option for proxy_arp for lan interface
> if you use pool which is part of lan network.
> If you have eth1 as lan network interface you could do:
> sysctl -w net.ipv4.conf.eth1.proxy_arp=1
> When this is activated, kernel does automatically proxy arp on eth1 if
> there is more specific route on different interface.
>> When your local net is and the client for example gets
>> an ip adress from this range, you need a proxy arp entry to
>> communicate with other local clients.
> Exactly.
>> The script check if the client ip is routable on local ethernet
>> devices and add a proxy arp entry.
>> Normally this is PLUTO_PEER_CLIENT, but PLUTO_PEER_CLIENT_NET has the
>> correct ip without /32 mask.
> This way to do proxyarp I described works for cases where you have
> behind eth2 and behind eth1. Packets
> from hosts use default route to and eth1
> automatic proxyarp causes router to answer with proxy arp causing
> response packets to work or rest of Note, with this
> setup can't be used in network. This
> proxyarp based subnetting is called variable lenght net masks (VLNM) on
> some documents.
> Could you try with this, I'm sure this is better solution than hacking
> forced proxyarp to _updown.*
Sure this is the "easy configuration method" and will work.

But Enabling proxy arp for the whole lan has also security risks and 
problems in complex networks. So it is no option for a firewall/vpn 

This is the reason I used this method to add the defined single ip to 
the arp cache, only for this special case where someone want the same ip 
no matter if he connects local from the lan or remote over vpn with his 


More information about the Swan-dev mailing list