[Swan] thought I had connection with arping
Paul Wouters
paul at nohats.ca
Tue Jan 16 00:55:00 EET 2024
On Mon, 15 Jan 2024, Marc wrote:
>>> with such a config
>>> leftsubnet=192.168.21.0/24
>>> rightaddresspool=192.168.21.200-192.168.21.210
>>
>>
>> This can’t really work. Where does the 192.16821.201 live? It’s both on left
>> and on right.
>
> No ip's are either on the left or on the right.
That is not deterministic in your configuration. If this kernel needs to
send a packet to 192.168.21.201, should it go to "left" or "right" ?
> I think this is why host routes are required. I can remember doing something like this with cni plugins. However this is probably limited to the host (guessing here a lot)
You are just digger deeping.
>> Usually one reserved a unique space for addresspool and then all internal
>> machines route that range to the vpn server.
>>
>> Pick another range for addresspool.
>
> Currently I have this working with:
You do not have it working :)
> - on the host no ip in the range 192.168.x.0 on eth1
> - no net.ipv4.conf.eth1.proxy_arp=1
> - in _updown.xfrm I commented out #uproute (the host route for peers)
> - and in updown.sh I have something like this:
>
> 105 PLUTO_PEER_CLIENTIP=${PLUTO_PEER_CLIENT%/*}
> 106 PIDFILE="/tmp/${PLUTO_PEER_CLIENTIP}-arp.pid"
> 107
> 108 if [ "${PLUTO_VERB}" == "up-client" ]
> 109 then
> 110 echo "$(date +"%Y%m%d-%H%M%S") up" >> $TMPLOG
> 111 arping -q -W 4 -i ${PLUTO_INTERFACE} -S ${PLUTO_PEER_CLIENTIP} 192.168.x.a >/dev/null 2>&1 &
> 112 PID=$!
> 113 echo -n "$PID " > "$PIDFILE"
> 114 arping -q -W 4 -i ${PLUTO_INTERFACE} -S ${PLUTO_PEER_CLIENTIP} 192.168.x.b >/dev/null 2>&1 &
> 115 PID=$!
> 116 echo -n "$PID " >> "$PIDFILE"
> 117 fi
If you don't do a double fork from updown, it will not detach properly
and pluto will block forever until the arping command has completed.
See libreswan/contrib/updown-example/
My guess is either the systemd watch dog is shooting pluto because its
blocked indefinately, or pluto managed to fail the updown and brings
down the connection.
> Someone with good knowledge should be able to convert this hack to something that does not need to have this arpings running not? I think this is also related to how ipsec works. I there would be an interface with an ip visible in the container, this would work better. Maybe this host route would be indeed sufficient.
*raises hand*
Use a different range for the addresspool and route that range from your
other nodes to the libreswan server :)
Paul
More information about the Swan
mailing list