[Swan] libreswan 3.9+klips not listen on multiple secondary address
Paul Wouters
paul at nohats.ca
Wed Jul 16 18:02:41 EEST 2014
On Wed, 16 Jul 2014, csszep wrote:
> I'm migrating from openswan to libreswan and i have a host with
> multiple interfaces and secondary address.
>
> With openswan (2.6.28) the following line works:
>
> interfaces="ipsec0=eth5:0 ipsec1=eth4:0 ipsec2=eth3:0
Are you missing a closing quote (") there ?
> Pluto listens on secondary address on these interfaces
It works for me?
[root at road ~]# ifconfig eth0:1 11.1.2.3/24
[root at road ~]# ipsec version
Linux Libreswan Uv3.9-86-gc7e82bb-master/K(no kernel code presently
loaded) on 3.13.6-200.fc20.x86_64
[root at road ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.1.3.209 netmask 255.255.255.0 broadcast 192.1.3.255
ether 12:00:00:ab:cd:02 txqueuelen 1000 (Ethernet)
RX packets 10342 bytes 2533695 (2.4 MiB)
RX errors 0 dropped 5 overruns 0 frame 0
TX packets 11878 bytes 9857645 (9.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 11.1.2.3 netmask 255.255.255.0 broadcast 11.1.2.255
ether 12:00:00:ab:cd:02 txqueuelen 1000 (Ethernet)
[root at road ~]# grep interfaces /etc/ipsec.conf
interfaces="ipsec0=eth0:1"
[root at road ~]# ipsec start
Redirecting to: systemctl start ipsec.service
[root at road ~]# grep interface /tmp/pluto.log
Using KLIPS IPsec interface code on 3.13.6-200.fc20.x86_64
| Inspecting interface lo
| Inspecting interface eth0
| Inspecting interface eth0:1
| Inspecting interface ipsec0
adding interface ipsec0/eth0:1 11.1.2.3:500
adding interface ipsec0/eth0:1 11.1.2.3:4500
| IP interface eth0 192.1.3.209 has no matching ipsec* interface -- ignored
| IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored
[root at road ~]# ipsec tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0
test on machine with multiple interfaces:
[root at east ~]# ifconfig eth0:0 10.0.0.0/24
[root at east ~]# ifconfig eth1:0 10.0.1.0/24
[root at east ~]# ifconfig eth2:0 10.0.2.0/24
[root at east ~]# grep interfaces /etc/ipsec.conf
interfaces="ipsec0=eth0:0 ipsec1=eth1:0 ipsec2=eth2:0"
ot at east ~]# ipsec version
Linux Libreswan Uv3.9-86-gc7e82bb-master/K(no kernel code presently
loaded) on 3.13.6-200.fc20.x86_64
[root at east ~]# ipsec start
Redirecting to: systemctl start ipsec.service
[root at east ~]# grep interface /tmp/pluto.log
Using KLIPS IPsec interface code on 3.13.6-200.fc20.x86_64
| Inspecting interface lo
| Inspecting interface eth0
| Inspecting interface eth0:0
| Inspecting interface eth1
| Inspecting interface eth1:0
| Inspecting interface eth2
| Inspecting interface eth2:0
| Inspecting interface ipsec0
| Inspecting interface ipsec1
| Inspecting interface ipsec2
adding interface ipsec2/eth2:0 10.0.2.0:500
adding interface ipsec2/eth2:0 10.0.2.0:4500
| IP interface eth2 192.9.2.23 has no matching ipsec* interface --
ignored
adding interface ipsec1/eth1:0 10.0.1.0:500
adding interface ipsec1/eth1:0 10.0.1.0:4500
| IP interface eth1 192.1.2.23 has no matching ipsec* interface --
ignored
adding interface ipsec0/eth0:0 10.0.0.0:500
adding interface ipsec0/eth0:0 10.0.0.0:4500
| IP interface eth0 192.0.2.254 has no matching ipsec* interface --
ignored
| IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored
[root at east ~]#
Paul
More information about the Swan
mailing list