[Swan] libreswan 3.9+klips not listen on multiple secondary address

Paul Wouters paul at nohats.ca
Wed Jul 16 18:02:41 EEST 2014 

On Wed, 16 Jul 2014, csszep wrote:

> I'm migrating from openswan to libreswan and i have a host with
> multiple interfaces and secondary address.
>
> With openswan (2.6.28) the following line works:
>
> interfaces="ipsec0=eth5:0 ipsec1=eth4:0 ipsec2=eth3:0

Are you missing a closing quote (") there ?

> Pluto listens on secondary address on these interfaces

It works for me?

[root at road ~]# ifconfig eth0:1 11.1.2.3/24
[root at road ~]# ipsec version
Linux Libreswan Uv3.9-86-gc7e82bb-master/K(no kernel code presently
loaded) on 3.13.6-200.fc20.x86_64
[root at road ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
         inet 192.1.3.209  netmask 255.255.255.0  broadcast 192.1.3.255
         ether 12:00:00:ab:cd:02  txqueuelen 1000  (Ethernet)
         RX packets 10342  bytes 2533695 (2.4 MiB)
         RX errors 0  dropped 5  overruns 0  frame 0
         TX packets 11878  bytes 9857645 (9.4 MiB)
         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
         inet 11.1.2.3  netmask 255.255.255.0  broadcast 11.1.2.255
         ether 12:00:00:ab:cd:02  txqueuelen 1000  (Ethernet)

[root at road ~]# grep interfaces /etc/ipsec.conf
 	interfaces="ipsec0=eth0:1"
[root at road ~]# ipsec start
Redirecting to: systemctl start ipsec.service

[root at road ~]# grep interface /tmp/pluto.log 
Using KLIPS IPsec interface code on 3.13.6-200.fc20.x86_64
| Inspecting interface lo 
| Inspecting interface eth0 
| Inspecting interface eth0:1 
| Inspecting interface ipsec0 
adding interface ipsec0/eth0:1 11.1.2.3:500
adding interface ipsec0/eth0:1 11.1.2.3:4500
| IP interface eth0 192.1.3.209 has no matching ipsec* interface -- ignored
| IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored

[root at road ~]# ipsec tncfg
ipsec0 -> eth0 mtu=16260(1500) -> 1500
ipsec1 -> NULL mtu=0(0) -> 0

test on machine with multiple interfaces:

[root at east ~]# ifconfig eth0:0 10.0.0.0/24
[root at east ~]# ifconfig eth1:0 10.0.1.0/24
[root at east ~]# ifconfig eth2:0 10.0.2.0/24
[root at east ~]# grep interfaces /etc/ipsec.conf
 	interfaces="ipsec0=eth0:0 ipsec1=eth1:0 ipsec2=eth2:0"

ot at east ~]# ipsec version
Linux Libreswan Uv3.9-86-gc7e82bb-master/K(no kernel code presently
loaded) on 3.13.6-200.fc20.x86_64
[root at east ~]# ipsec start
Redirecting to: systemctl start ipsec.service
[root at east ~]# grep interface /tmp/pluto.log 
Using KLIPS IPsec interface code on 3.13.6-200.fc20.x86_64
| Inspecting interface lo 
| Inspecting interface eth0 
| Inspecting interface eth0:0 
| Inspecting interface eth1 
| Inspecting interface eth1:0 
| Inspecting interface eth2 
| Inspecting interface eth2:0 
| Inspecting interface ipsec0 
| Inspecting interface ipsec1 
| Inspecting interface ipsec2 
adding interface ipsec2/eth2:0 10.0.2.0:500
adding interface ipsec2/eth2:0 10.0.2.0:4500
| IP interface eth2 192.9.2.23 has no matching ipsec* interface --
ignored
adding interface ipsec1/eth1:0 10.0.1.0:500
adding interface ipsec1/eth1:0 10.0.1.0:4500
| IP interface eth1 192.1.2.23 has no matching ipsec* interface --
ignored
adding interface ipsec0/eth0:0 10.0.0.0:500
adding interface ipsec0/eth0:0 10.0.0.0:4500
| IP interface eth0 192.0.2.254 has no matching ipsec* interface --
ignored
| IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored
[root at east ~]#

Paul

More information about the Swan mailing list