[Swan-dev] auto-start and PLUTO_MY_SOURCEIP='192.0.2.1'
Antony Antony
antony at phenome.org
Mon Nov 21 21:44:54 UTC 2016
https://bugs.libreswan.org/show_bug.cgi?id=274
reported a difference in behavior between
auto=add
ipsec auto --add conn
ipsec auto --up conn
vs
auto=start
In the second case PLUTO_MY_SOURCEIP does not get configured on the client.
Currently the updown script call the function addsource only when it is called with route-client.
It seems with auto=start route-client is called before the IKE begins. Then there is no SOURCEIP to set.
Once IPSec SA is established pluto call the updown only with up-client. And the SOURCEIP is not set.
We could add an extra call to the addsource when called with up-client.
Here is a simple patch for proof of concept.
I modified and existing test ikev2-48-nat-cp to test, changed auto=start and
removed add and up from road*
-antony
-------------- next part --------------
>From d66ee4897381d769ddb47680d34ad7da4e42033d Mon Sep 17 00:00:00 2001
From: Antony Antony <antony at phenome.org>
Date: Mon, 21 Nov 2016 20:20:35 +0100
Subject: [PATCH] updown: add SOURCEIP on the client/peer when auto=start too
https://bugs.libreswan.org/show_bug.cgi?id=274
---
programs/_updown.netkey/_updown.netkey.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in
index 86f858c..50fa270 100644
--- a/programs/_updown.netkey/_updown.netkey.in
+++ b/programs/_updown.netkey/_updown.netkey.in
@@ -667,6 +667,7 @@ case "${PLUTO_VERB}" in
# If you are doing a custom version, firewall commands go here.
updateresolvconf
addcat
+ addsource
notifyNM connect
;;
down-client)
@@ -675,6 +676,7 @@ case "${PLUTO_VERB}" in
delnflog
delcat
delvti
+ delsource
# If you are doing a custom version, firewall commands go here.
restoreresolvconf
notifyNM disconnect
--
2.4.11
More information about the Swan-dev
mailing list