[Swan] thought I had connection with arping
Marc
Marc at f1-outsourcing.eu
Tue Jan 16 00:40:28 EET 2024
> > the arping is only sending 10, then quits and 7 seconds after that the
> ping stalls.
>
> Oh I see you did not mix up the terms ping and arping.
>
> >
> >>>
> > with such a config
> > leftsubnet=192.168.21.0/24
> > rightaddresspool=192.168.21.200-192.168.21.210
>
>
> This can’t really work. Where does the 192.16821.201 live? It’s both on left
> and on right.
No ip's are either on the left or on the right. I think this is why host routes are required. I can remember doing something like this with cni plugins. However this is probably limited to the host (guessing here a lot)
> Usually one reserved a unique space for addresspool and then all internal
> machines route that range to the vpn server.
>
> Pick another range for addresspool.
Currently I have this working with:
- on the host no ip in the range 192.168.x.0 on eth1
- no net.ipv4.conf.eth1.proxy_arp=1
- in _updown.xfrm I commented out #uproute (the host route for peers)
- and in updown.sh I have something like this:
105 PLUTO_PEER_CLIENTIP=${PLUTO_PEER_CLIENT%/*}
106 PIDFILE="/tmp/${PLUTO_PEER_CLIENTIP}-arp.pid"
107
108 if [ "${PLUTO_VERB}" == "up-client" ]
109 then
110 echo "$(date +"%Y%m%d-%H%M%S") up" >> $TMPLOG
111 arping -q -W 4 -i ${PLUTO_INTERFACE} -S ${PLUTO_PEER_CLIENTIP} 192.168.x.a >/dev/null 2>&1 &
112 PID=$!
113 echo -n "$PID " > "$PIDFILE"
114 arping -q -W 4 -i ${PLUTO_INTERFACE} -S ${PLUTO_PEER_CLIENTIP} 192.168.x.b >/dev/null 2>&1 &
115 PID=$!
116 echo -n "$PID " >> "$PIDFILE"
117 fi
118
119 if [ "${PLUTO_VERB}" == "down-client" ]
120 then
121 echo "$(date +"%Y%m%d-%H%M%S") down" >> $TMPLOG
122 if [ -f "$PIDFILE" ]
123 then
124 kill -9 $(cat "$PIDFILE")
125 rm -f "$PIDFILE"
126 fi
127 fi
Someone with good knowledge should be able to convert this hack to something that does not need to have this arpings running not? I think this is also related to how ipsec works. I there would be an interface with an ip visible in the container, this would work better. Maybe this host route would be indeed sufficient.
More information about the Swan
mailing list