[Swan] leftsourceip functionality with libreswan-3.0

Sun Jan 6 18:18:32 EET 2013

On Sun, 6 Jan 2013, Philippe Vouters wrote:

> My guess is that the last ping works fine without -I 192.168.1.2 on my desktop because of this information in the ip route output in bold:
> 192.168.2.101 via 192.168.1.1 dev eth0  src 192.168.1.2

Yes. That is the whole point of the left/rightsourceip= option! From the
man page:

   leftsourceip
            the IP address for this host to use when transmitting a
            packet to the other side of this link. Relevant only locally,
            the other end need not agree. This option is used to make
            the gateway itself use its internal IP, which is part of
            the leftsubnet, to communicate to the rightsubnet or right.
            Otherwise, it will use its nearest IP address, which is its
            public IP address. This option is mostly used when defining
            subnet-subnet connections, so that the gateways can talk to
            each other and the subnet at the other end, without the need
            to build additional host-subnet, subnet-host and host-host
            tunnels. Both IPv4 and IPv6 addresses are supported.

> The big question is now how the desktop managed to know it has to use 192.168.1.2 to reach 192.168.2.101 ????

the new code in addconn.c asks the kernel for the best IP to use to
reach destination (right=)

> The absence of leftsourceip in the ipsec configuration prevents the network layer to correctly know in advance which route to use. Once traffic is established between both ends , the
> network layer (especially xfrm) has enough information to correctly route the packets.

That might be due to the changes in addconn when it fills in the
"unspecified" information. I think somehow it might be getting the
127.0.0.1 dev lo route and uses that as "source ip".

Paul