[Swan] xauth+modecfg and arp issues
Tuomo Soini
tis at foobar.fi
Wed May 2 19:54:43 UTC 2018
On Wed, 2 May 2018 20:08:59 +0200
Erik Andersson <erik at ingate.com> wrote:
> Hi all,
>
> I'm running libreswan 3.23 (using netkey/xfrm) on fedora 26.
>
> Trying to connect clients via xauth and modecfg where the address
> pool for clients is a subset of the network "behind the ipsec
> gateway".
>
> Using the following configuration:
>
> conn remote
> auto=start
> authby=secret
> right=10.48.28.81
> left=%any
> rightsubnet=192.168.110.0/24
> connaddrfamily=ipv4
> pfs=yes
> nat-keepalive=yes
> encapsulation=auto
> dpddelay="30"
> dpdtimeout="120"
> dpdaction=clear
> rightmodecfgserver=yes
> leftmodecfgclient=yes
> modecfgpull=yes
> leftaddresspool=192.168.110.220-192.168.110.254
> modecfgdns=10.48.254.21
> modecfgdomains=example.com
> rightxauthserver=yes
> leftxauthclient=yes
> xauthby=file
> rekey=no
You need to enable routing for that to work. Proxy arp requires host
route to client.
While xfrm doesn't need routing, ip stack does.
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
More information about the Swan
mailing list