[Swan] libreswan 3.9+klips not listen on multiple secondary address
csszep
csszep at gmail.com
Wed Jul 16 21:45:15 EEST 2014
Wow!
It works for me.
cat /etc/ipsec.conf
config setup
protostack=klips
#interfaces="ipsec0=eth0"
interfaces="ipsec0=eth0:0 ipsec1=eth0:1"
nat_traversal=yes
#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
plutodebug=all
#klipsdebug=all
Jul 16 19:40:22 debian7vm pluto[13267]: listening for IKE messages
Jul 16 19:40:22 debian7vm pluto[13267]: | Inspecting interface lo
Jul 16 19:40:22 debian7vm pluto[13267]: | found lo with address 127.0.0.1
Jul 16 19:40:22 debian7vm pluto[13267]: | Inspecting interface eth0
Jul 16 19:40:22 debian7vm pluto[13267]: | found eth0 with address 192.168.8.129
Jul 16 19:40:22 debian7vm pluto[13267]: | Inspecting interface eth0:0
Jul 16 19:40:22 debian7vm pluto[13267]: | found eth0:0 with address
192.168.8.111
Jul 16 19:40:22 debian7vm pluto[13267]: | Inspecting interface eth0:1
Jul 16 19:40:22 debian7vm pluto[13267]: | found eth0:1 with address
192.168.8.112
Jul 16 19:40:22 debian7vm pluto[13267]: | Inspecting interface ipsec0
Jul 16 19:40:22 debian7vm pluto[13267]: | found ipsec0 with address
192.168.8.111
Jul 16 19:40:22 debian7vm pluto[13267]: | Inspecting interface ipsec1
Jul 16 19:40:22 debian7vm pluto[13267]: | found ipsec1 with address
192.168.8.112
Jul 16 19:40:22 debian7vm pluto[13267]: adding interface ipsec1/eth0:1
192.168.8.112:500
Jul 16 19:40:22 debian7vm pluto[13267]: | NAT-T KLIPS: calling
nat_traversal_espinudp_socket
Jul 16 19:40:22 debian7vm pluto[13267]: | NAT-Traversal: Trying new style NAT-T
Jul 16 19:40:22 debian7vm pluto[13267]: | NAT-Traversal: ESPINUDP(2)
setup succeeded for new style NAT-T family IPv4
Jul 16 19:40:22 debian7vm pluto[13267]: adding interface ipsec1/eth0:1
192.168.8.112:4500
Jul 16 19:40:22 debian7vm pluto[13267]: adding interface ipsec0/eth0:0
192.168.8.111:500
Jul 16 19:40:22 debian7vm pluto[13267]: | NAT-T KLIPS: calling
nat_traversal_espinudp_socket
Jul 16 19:40:22 debian7vm pluto[13267]: | NAT-Traversal: Trying new style NAT-T
Jul 16 19:40:22 debian7vm pluto[13267]: | NAT-Traversal: ESPINUDP(2)
setup succeeded for new style NAT-T family IPv4
Jul 16 19:40:22 debian7vm pluto[13267]: adding interface ipsec0/eth0:0
192.168.8.111:4500
Thx
csszep
2014-07-16 20:36 GMT+02:00 Marc-Christian Petersen <m.c.p at gmx.de>:
> Hi csszep,
>
> maybe something like this will help you?
>
> it's for /usr/lib/ipsec/_stackmanager
>
> --- old/_stackmanager 2014-07-09 20:55:10.000000000 +0200
> +++ new/_stackmanager 2014-07-09 21:03:19.509976750 +0200
> @@ -361,11 +361,12 @@ startklips() {
> ipsec tncfg --attach --virtual ${virt} --physical ${phys}
>
> # configure all the IPv4/IPv6 addresses (including point-to-point)
> - ip addr show dev ${phys} | \
> + ip addr show dev ${phys} label ${phys} | \
> awk '$1 == "inet" || ($1 == "inet6" && !/ dynamic/) {
> cmd = "ip addr add"
> if ($1 == "inet")
> sub(" [^ ]+:[^ ]+"," ",$0)
> + sub("secondary","",$0)
> sub("/.*","",$2)
> sub("dynamic","",$0)
> for (i = 2; i < NF; i++) {
>
>
>
>
> Am 16.07.2014 um 14:47:37 Uhr schrieb csszep <csszep at gmail.com>:
>
>> Hello!
>>
>> I'm migrating from openswan to libreswan and i have a host with
>> multiple interfaces and secondary address.
>>
>> With openswan (2.6.28) the following line works:
>>
>> interfaces="ipsec0=eth5:0 ipsec1=eth4:0 ipsec2=eth3:0
>>
>> Pluto listens on secondary address on these interfaces
>>
>> Libreswan do nothing:
>>
>> 2014-07-16T14:42:18+02:00 ngm-fw1 pluto[21053]: Using KLIPS IPsec
>> interface code on 2.6.32-2-generic-zorp34
>> 2014-07-16T14:42:18+02:00 ngm-fw1 pluto[21053]: listening for IKE messages
>> 2014-07-16T14:42:18+02:00 ngm-fw1 pluto[21053]: no public interfaces found
>>
>> Any hint how to listen a multiple specific alias interface or
>> secondary address with klips+libreswan?
More information about the Swan
mailing list