[Swan] thought I had connection with arping

Tue Jan 16 00:40:28 EET 2024

> > the arping is only sending 10, then quits and 7 seconds after that the
> ping stalls.
> 
> Oh I see you did not mix up the terms ping and arping.
> 
> >
> >>>
> > with such a config
> > leftsubnet=192.168.21.0/24
> > rightaddresspool=192.168.21.200-192.168.21.210
> 
> 
> This can’t really work. Where does the 192.16821.201 live? It’s both on left
> and on right.

No ip's are either on the left or on the right. I think this is why host routes are required. I can remember doing something like this with cni plugins. However this is probably limited to the host (guessing here a lot)

> Usually one reserved a unique space for addresspool and then all internal
> machines route that range to the vpn server.
> 
> Pick another range for addresspool.

Currently I have this working with:

- on the host no ip in the range 192.168.x.0 on eth1 
- no net.ipv4.conf.eth1.proxy_arp=1
- in _updown.xfrm I commented out #uproute (the host route for peers)
- and in updown.sh I have something like this:

    105 PLUTO_PEER_CLIENTIP=${PLUTO_PEER_CLIENT%/*}
    106 PIDFILE="/tmp/${PLUTO_PEER_CLIENTIP}-arp.pid"
    107
    108 if [ "${PLUTO_VERB}" == "up-client" ]
    109 then
    110   echo "$(date +"%Y%m%d-%H%M%S") up" >> $TMPLOG
    111   arping -q -W 4 -i ${PLUTO_INTERFACE} -S ${PLUTO_PEER_CLIENTIP} 192.168.x.a >/dev/null 2>&1 &
    112   PID=$!
    113   echo -n "$PID " > "$PIDFILE"
    114   arping -q -W 4 -i ${PLUTO_INTERFACE} -S ${PLUTO_PEER_CLIENTIP} 192.168.x.b >/dev/null 2>&1 &
    115   PID=$!
    116   echo -n "$PID " >> "$PIDFILE"
    117 fi
    118
    119 if [ "${PLUTO_VERB}" == "down-client" ]
    120 then
    121   echo "$(date +"%Y%m%d-%H%M%S") down" >> $TMPLOG
    122   if [ -f "$PIDFILE" ]
    123   then
    124     kill -9 $(cat "$PIDFILE")
    125     rm -f "$PIDFILE"
    126   fi
    127 fi

Someone with good knowledge should be able to convert this hack to something that does not need to have this arpings running not? I think this is also related to how ipsec works. I there would be an interface with an ip visible in the container, this would work better. Maybe this host route would be indeed sufficient. 