[Swan] What's a "usable" IP?

Paul Wouters paul at nohats.ca
Thu Sep 21 13:30:42 UTC 2017 

On Thu, 21 Sep 2017, Whit Blauvelt wrote:

> Your suggestion:
>
>> conn amazonwest
>> 	left=%defaultroute
>> 	leftsunet=DD.EE.FF.245/32
>> 	leftsourceip=DD.EE.FF.245
>>         leftid="DD.EE.FF.245"
>> 	right=AA.BB.CC.108
>> 	rightid="AA.BB.CC.108"
>> 	auto=start
>
> cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:11: syntax error,
> unexpected STRING [leftsunet]

should have been "leftsubnet"

> If I take line out that out I get back to:
>
>  Sep 21 09:10:13 nyfw1 pluto[32739]: "amazonwest": We cannot identify
>  ourselves with either end of this connection. AA.BB.CC.108 or
>  AA.BB.CC.102 are not usable

I dont understand how that connection can say AA.BB.CC.102 is not
usable, because it does not appear in the configuration. Anything
learned from %defaultroute should per definition appear as IP
on the machine and there is "available". Do you have a listen=
line that specifies a different IP? Specifying listen= will cause
pluto to ONLY consider that IP address, and any discovery via
a %defaultroute not ending up on that IP will become "unusuable"
because it is not listening on that IP.

> ip addr ls:
>
> 5: enp2s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
>    link/ether a0:36:9f:a6:f8:51 brd ff:ff:ff:ff:ff:ff
>    inet AA.BB.CC.102/27 brd AA.BB.CC.127 scope global enp2s0f1
>       valid_lft forever preferred_lft forever
>    inet AA.BB.CC.108/32 scope global enp2s0f1
>       valid_lft forever preferred_lft forever

If this does not have your default route, then you will need to specify
left=AA.BB.CC.102 assuming this output above comes from that end and
not the remote end.

> We're really back to: What is the logic that declares public IPs which are
> on the local system and perfectly functional "not usable"? I'm suspecting
> that libreswan is doing some sort of simple-minded analysis of routing
> tables; this system, having multiple interfaces, has multiple tables.

If you use %defaultroute, it will ask the kernel what source ip would be
used to reach in resolve_defaultroute_one() in programs/addconn/addconn.c
That should basicaly be the same as running "ping AA.BB.CC.108". But
since you show a network of AA.BB.CC.102/27 it would pick that IP.

I am still very confused about your network and your setup. I don't
think I can be of further help looking at half anonimized logs or
output or partial configs.

Paul

More information about the Swan mailing list