[Swan] What's a "usable" IP?
Whit Blauvelt
whit at transpect.com
Mon Sep 11 17:36:08 UTC 2017
> >Is there any way to override pluto and force it to accept the IP as usable?
>
> Well, if the IP is not local on the machine, it cannot be used to build
> a packet with that source address.
>
> If you are on dynamic IP, you probably want to use left=%defaultroute
> instead. If you are behind NAT, you need to use the local IP configured
> on the host (not the public IP used on the upstream NAT gateway) as
> you left= but you might then want to use leftid=publicip.
Paul,
The IP is local on the machine, as I said. It is a fixed IP from a set of
public IPs assigned to an interface on the machine running Libreswan. This
is the machine which is a firewall in our office. There is no NAT between
this IP and the upstream gateway. The only NAT involved is on the other end
of the tunnel, on an AWS instance, which is not complaining.
Another machine with a different subset of from the same /27 block of public
IPs, running Openswan, is similarly using one of those IPs for a tunnel, and
there's no problem in that case.
Pluto's logic in deciding whether an IP is "usable" looks to have become
broken somewhere between Openswan 2.6.38 (from the Ubuntu 14.04 deb) and
Libreswan 3.2.1 (from tar, running on Ubuntu 16.04). Is a workaround or fix
possible?
Thanks,
Whit
More information about the Swan
mailing list