[Swan] Roadwarriors Setup With Routing

Nirvana nirvana21 at gmail.com
Wed Nov 1 12:22:44 UTC 2017


On Tue, Oct 31, 2017 at 8:43 AM, Paul Wouters <paul at nohats.ca> wrote:

> On Tue, 31 Oct 2017, Nirvana wrote:
>
>       Or you can set up one for 0.0.0.0/0 on the server, install firewall
>> rules
>>       there to limit traffic to the three networks, and give the client a
>> custom
>>       leftupdown= script that only routes those 3 subnets into the single
>> VTI
>>       device.
>>
>
> Thanks for the response! I am doing what you suggested (0.0.0.0/0 on
>> server and adding routes for VTI interface) and it appears to be working.
>> For instance I am able to add a functioning
>> route using: ip r a 192.168.2.0/24 dev vti9 scope link src 192.168.9.12
>>
>> However if I try to add routes using an updown script I am having an
>> issue where vti9 isn't up yet so I can't add the routes yet. Below is how I
>> was able to test that.
>>
>> In the client config I added: leftupdown=/etc/ipsec.updown
>>
>
> Did you copy the _updown.netkey script and make your additions to that
> script? You still need the real updown script because that is the
> script that actually creates the vti device.
>
> and created that executable shell script with the following contents:
>> ip a
>> exit 0
>>
>
> Is that a copy paste error? Because I see no script. But you really need
> to take _updown.netkey and _add_ your custom things to that script.
>
> Paul
>

Excellent, I wasn't aware of the _updown.netkey script and some of the
variables in it like VTI_IFACE which aren't in the ipsec_pluto man page on
my release. I was able to add/remove my routes under the
up-client/down-client case. Now my current issue is pushing my DNS
information. In the _updown.netkey script under the updateresolvconf
function it has a conditional checking for the if the shell variables
PLUTO_PEER_DNS_INFO or PLUTO_PEER_DOMAIN_INFO are zero length. It appears
that both of these variables come from the shell environment via some other
means. PLUTO_PEER_DNS_INFO is getting populated but PLUTO_PEER_DOMAIN_INFO
does not so the resolv.conf is not being altered.

On the responder I have these directives:

        rightxauthclient=yes
        rightmodecfgclient=yes
        leftxauthserver=yes
        leftmodecfgserver=yes
        modecfgdns1=192.168.2.100
        modecfgdomain=domain.tldr

On the initiator I have it set to be the client. In this configuration
PLUTO_PEER_DOMAIN_INFO doesn't get set. However if I set modecfgdomain on
the client everything works. According to the ipsec.conf man page
modecfgdomain on the client is the default but is overridden if the server
provides something else but it looks like the server is not providing that
domain.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171101/c242161a/attachment.html>


More information about the Swan mailing list