On Wed, 29 Apr 2015 10:58:53 +0200 Wolfgang Nothdurft <[email protected]> wrote:
> The proxy arp entry is for the local address the client gets. Ok. I misunderstood your user case. I think this is too complicated solution for the problem. Simple one is to enable sysctl option for proxy_arp for lan interface if you use pool which is part of lan network. If you have eth1 as lan network interface you could do: sysctl -w net.ipv4.conf.eth1.proxy_arp=1 When this is activated, kernel does automatically proxy arp on eth1 if there is more specific route on different interface. > > When your local net is 192.186.0.0/24 and the client for example gets > an ip adress from this range, you need a proxy arp entry to > communicate with other local clients. Exactly. > The script check if the client ip is routable on local ethernet > devices and add a proxy arp entry. > > Normally this is PLUTO_PEER_CLIENT, but PLUTO_PEER_CLIENT_NET has the > correct ip without /32 mask. This way to do proxyarp I described works for cases where you have 192.168.0.32/27 behind eth2 and 192.168.0.0/24 behind eth1. Packets from 192.168.0.32/27 hosts use default route to 192.168.0.0/24 and eth1 automatic proxyarp causes router to answer with proxy arp causing response packets to work or rest of 192.168.0.0/24. Note, with this setup 192.168.0.32/27 can't be used in 192.168.0.0/24 network. This proxyarp based subnetting is called variable lenght net masks (VLNM) on some documents. Could you try with this, I'm sure this is better solution than hacking forced proxyarp to _updown.* -- Tuomo Soini <[email protected]> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
