[Swan] updown script not called with mast

Paul Wouters paul at nohats.ca
Fri Dec 12 05:34:11 EET 2014 

On Thu, 11 Dec 2014, Michael Schwartzkopff wrote:

> I did a little research on my problem. It seems the updown script is not
> called if I use the mast protostack.

Be aware that the _updown script calls _updown.{protostack} script. So
for most people _updown calls _updown.netkey. In your case it is
supposed to call _updown.mast

> When I use the klips stack, the scipt is called. When I only change the
> protostack and interfaces options, the updown script is not called any more.

I tested this (test basic-pluto-01 converted to protostack=mast) and it
seems to work for me. The logs show:

| executing spdadd-client: 2>&1 PLUTO_MY_REF=3 PLUTO_PEER_REF=1
PLUTO_SAREF_TRACKING=yes PLUTO_VERB='spdadd-client' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='westnet-eastnet' PLUTO_INTERFACE='mast0'
PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.2.45' PLUTO_MY_ID='@west'
PLUTO_MY_CLIENT='192.0.1.0/24' PLUTO_MY_CLIENT_NET='192.0.1.0'
PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP'
PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east'
PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0'
PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='mast'
PLUTO_ADDTIME='0'
PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW'
PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0'
PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=''
PLUTO_NM_CONFIGURED='0' ipsec _updown

[...]

"westnet-eastnet" #2: spdadd-client output: ip6tables v1.4.19.1: invalid
mask `255.255.255.0' specified
"westnet-eastnet" #2: spdadd-client output: Try `ip6tables -h' or
'ip6tables --help' for more information.
| command executing up-client

[...]

| command executing route-client
[...]

Perhaps you can show us a log made with plutodebug=all ?

Can I ask why you want to use the mast stack? It was mostly to support
multiple L2TP/Transport connections with NAT, and those deployments are
best upgraded to IPsec/XAUTH ("Cisco IPsec mode"). The only known client
not to support IPsec/XAUTH is Windows, for which free clients such as
the Shrew software client is available that supports it.

Paul

More information about the Swan mailing list