[Swan] xauth+modecfg and arp issues
Tuomo Soini
tis at foobar.fi
Thu May 3 05:36:56 UTC 2018
On Wed, 2 May 2018 22:54:43 +0300
Tuomo Soini <tis at foobar.fi> wrote:
> On Wed, 2 May 2018 20:08:59 +0200
> Erik Andersson <erik at ingate.com> wrote:
>
> > Hi all,
> >
> > I'm running libreswan 3.23 (using netkey/xfrm) on fedora 26.
> >
> > Trying to connect clients via xauth and modecfg where the address
> > pool for clients is a subset of the network "behind the ipsec
> > gateway".
> >
> > Using the following configuration:
> >
> > conn remote
> > auto=start
> > authby=secret
> > right=10.48.28.81
> > left=%any
> > rightsubnet=192.168.110.0/24
Sorry, I didn't give you more instructions last night because I was a
bit confused about your config. I always use left == local, right ==
remote logics and noticed your config was either client config or had
logics other way around and I was already leaving computer when I
quickly answered.
There are two ways to force routing.
rightupdown="ipsec _updown.netkey --route yes"
Or.
rightsourceip=192.168.110.254 (or .1 or whatever your ip os in
192.168.110.0/24 network).
I'm trying to find out a way to do routing automatically in this case.
Adding routes is easy but removing is not in this case.
> You need to enable routing for that to work. Proxy arp requires host
> route to client.
>
> While xfrm doesn't need routing, ip stack does.
>
--
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <https://foobar.fi/>
More information about the Swan
mailing list