<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 31, 2017 at 8:43 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">On Tue, 31 Oct 2017, Nirvana wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Or you can set up one for <a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> on the server, install firewall rules<br>
there to limit traffic to the three networks, and give the client a custom<br>
leftupdown= script that only routes those 3 subnets into the single VTI<br>
device.<br>
</blockquote>
<br>
</span><span class="gmail-"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Thanks for the response! I am doing what you suggested (<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> on server and adding routes for VTI interface) and it appears to be working. For instance I am able to add a functioning<br>
route using: ip r a <a href="http://192.168.2.0/24" rel="noreferrer" target="_blank">192.168.2.0/24</a> dev vti9 scope link src 192.168.9.12<br>
<br>
However if I try to add routes using an updown script I am having an issue where vti9 isn't up yet so I can't add the routes yet. Below is how I was able to test that.<br>
<br>
In the client config I added: leftupdown=/etc/ipsec.updown<br>
</blockquote>
<br></span>
Did you copy the _updown.netkey script and make your additions to that<br>
script? You still need the real updown script because that is the<br>
script that actually creates the vti device.<span class="gmail-"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
and created that executable shell script with the following contents:<br>
ip a<br>
exit 0<br>
</blockquote>
<br></span>
Is that a copy paste error? Because I see no script. But you really need<br>
to take _updown.netkey and _add_ your custom things to that script.<span class="gmail-HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div><div class="gmail_extra">Excellent, I wasn't aware of the _updown.netkey script and some of the variables in it like VTI_IFACE which aren't in the ipsec_pluto man page on my release. I was able to add/remove my routes under the up-client/down-client case. Now my current issue is pushing my DNS information. In the _updown.netkey script under the updateresolvconf function it has a conditional checking for the if the shell variables PLUTO_PEER_DNS_INFO or PLUTO_PEER_DOMAIN_INFO are zero length. It appears that both of these variables come from the shell environment via some other means. PLUTO_PEER_DNS_INFO is getting populated but PLUTO_PEER_DOMAIN_INFO does not so the resolv.conf is not being altered. <br><br>On the responder I have these directives:<br><br> rightxauthclient=yes<br> rightmodecfgclient=yes<br> leftxauthserver=yes<br> leftmodecfgserver=yes<br> modecfgdns1=192.168.2.100<br> modecfgdomain=domain.tldr<br><br></div><div class="gmail_extra">On the initiator I have it set to be the client. In this configuration PLUTO_PEER_DOMAIN_INFO doesn't get set. However if I set modecfgdomain on the client everything works. According to the ipsec.conf man page modecfgdomain on the client is the default but is overridden if the server provides something else but it looks like the server is not providing that domain.<br><br><br></div></div>