[Swan] xauth+modecfg and arp issues
Erik Andersson
erik at ingate.com
Thu May 3 08:12:48 UTC 2018
On 2018-05-03 07:36, Tuomo Soini wrote:
> On Wed, 2 May 2018 22:54:43 +0300
> Tuomo Soini <tis at foobar.fi> wrote:
>
>> On Wed, 2 May 2018 20:08:59 +0200
>> Erik Andersson <erik at ingate.com> wrote:
>>
>>> Hi all,
>>>
>>> I'm running libreswan 3.23 (using netkey/xfrm) on fedora 26.
>>>
>>> Trying to connect clients via xauth and modecfg where the address
>>> pool for clients is a subset of the network "behind the ipsec
>>> gateway".
>>>
>>> Using the following configuration:
>>>
>>> conn remote
>>> auto=start
>>> authby=secret
>>> right=10.48.28.81
>>> left=%any
>>> rightsubnet=192.168.110.0/24
>
> Sorry, I didn't give you more instructions last night because I was a
> bit confused about your config. I always use left == local, right ==
> remote logics and noticed your config was either client config or had
> logics other way around and I was already leaving computer when I
> quickly answered.
>
> There are two ways to force routing.
>
> rightupdown="ipsec _updown.netkey --route yes"
>
> Or.
>
> rightsourceip=192.168.110.254 (or .1 or whatever your ip os in
> 192.168.110.0/24 network).
>
> I'm trying to find out a way to do routing automatically in this case.
> Adding routes is easy but removing is not in this case.
>
Thanks Tuomo for the help! Both suggestions mitigate my issue. Tried to
add routes manually but apparently I was doing it wrong :)
Regards,
Erik
>> You need to enable routing for that to work. Proxy arp requires host
>> route to client.
>>
>> While xfrm doesn't need routing, ip stack does.
>>
>
>
More information about the Swan
mailing list