https://bugs.libreswan.org/show_bug.cgi?id=274 reported a difference in behavior between
auto=add ipsec auto --add conn ipsec auto --up conn vs auto=start In the second case PLUTO_MY_SOURCEIP does not get configured on the client. Currently the updown script call the function addsource only when it is called with route-client. It seems with auto=start route-client is called before the IKE begins. Then there is no SOURCEIP to set. Once IPSec SA is established pluto call the updown only with up-client. And the SOURCEIP is not set. We could add an extra call to the addsource when called with up-client. Here is a simple patch for proof of concept. I modified and existing test ikev2-48-nat-cp to test, changed auto=start and removed add and up from road* -antony
>From d66ee4897381d769ddb47680d34ad7da4e42033d Mon Sep 17 00:00:00 2001 From: Antony Antony <[email protected]> Date: Mon, 21 Nov 2016 20:20:35 +0100 Subject: [PATCH] updown: add SOURCEIP on the client/peer when auto=start too https://bugs.libreswan.org/show_bug.cgi?id=274 --- programs/_updown.netkey/_updown.netkey.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/programs/_updown.netkey/_updown.netkey.in b/programs/_updown.netkey/_updown.netkey.in index 86f858c..50fa270 100644 --- a/programs/_updown.netkey/_updown.netkey.in +++ b/programs/_updown.netkey/_updown.netkey.in @@ -667,6 +667,7 @@ case "${PLUTO_VERB}" in # If you are doing a custom version, firewall commands go here. updateresolvconf addcat + addsource notifyNM connect ;; down-client) @@ -675,6 +676,7 @@ case "${PLUTO_VERB}" in delnflog delcat delvti + delsource # If you are doing a custom version, firewall commands go here. restoreresolvconf notifyNM disconnect -- 2.4.11
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
