[Swan] xauth+modecfg and arp issues

Erik Andersson erik at ingate.com
Thu May 3 08:12:48 UTC 2018



On 2018-05-03 07:36, Tuomo Soini wrote:
> On Wed, 2 May 2018 22:54:43 +0300
> Tuomo Soini <tis at foobar.fi> wrote:
> 
>> On Wed, 2 May 2018 20:08:59 +0200
>> Erik Andersson <erik at ingate.com> wrote:
>>
>>> Hi all,
>>>
>>> I'm running libreswan 3.23 (using netkey/xfrm) on fedora 26.
>>>
>>> Trying to connect clients via xauth and modecfg where the address
>>> pool for clients is a subset of the network "behind the ipsec
>>> gateway".
>>>
>>> Using the following configuration:
>>>
>>> conn remote
>>>       auto=start
>>>       authby=secret
>>>       right=10.48.28.81
>>>       left=%any
>>>       rightsubnet=192.168.110.0/24
> 
> Sorry, I didn't give you more instructions last night because I was a
> bit confused about your config. I always use left == local, right ==
> remote logics and noticed your config was either client config or had
> logics other way around and I was already leaving computer when I
> quickly answered.
> 
> There are two ways to force routing.
> 
> rightupdown="ipsec _updown.netkey --route yes"
> 
> Or.
> 
> rightsourceip=192.168.110.254 (or .1 or whatever your ip os in
> 192.168.110.0/24 network).
> 
> I'm trying to find out a way to do routing automatically in this case.
> Adding routes is easy but removing is not in this case.
> 
Thanks Tuomo for the help! Both suggestions mitigate my issue. Tried to 
add routes manually but apparently I was doing it wrong :)

Regards,

Erik
>> You need to enable routing for that to work. Proxy arp requires host
>> route to client.
>>
>> While xfrm doesn't need routing, ip stack does.
>>
> 
> 


More information about the Swan mailing list