Sorry, i reply to soon... actually the only option that work was
leftupdown="ipsec _updown.netkey --route yes" .
the leftsourceip work because of route caching because of previous test
with leftupdown command, but after rebooting the server with this option
set no traffic to lan addresses.
Saludos / Regards / Cumprimentos,
António silva
On 04/18/2017 04:05 PM, Antonio Silva wrote:
Hi Tuomo,
Thanks for the tip, both options, separated, solve my problem!!! i end
up using leftsourceip, i use leftupdown script to monitor the
connection established.
we could add this extra info to the wiki :)
https://libreswan.org/wiki/FAQ#Can_I_hand_out_LAN_IP_addresses_in_the_addresspool.3F
Saludos / Regards / Cumprimentos,
António silva
On 04/18/2017 10:02 AM, Tuomo Soini wrote:
On Mon, 17 Apr 2017 19:04:54 +0200
Antonio Silva <[email protected]> wrote:
ok, so there is something i'm doing badly...
after ping the ip assign to the client i print the arp entires and
for the ip address in question there is no arp entry, and it suppose
to be with mac address of the server...
# ping 192.168.10.206
PING 192.168.10.206 (192.168.10.206) 56(84) bytes of data.
64 bytes from 192.168.10.206: icmp_seq=1 ttl=64 time=509 ms
64 bytes from 192.168.10.206: icmp_seq=2 ttl=64 time=72.0 ms
# arp | grep 192.168.10.206
Proxy arp doesn't work for pure ipsec. You need to add forced routing
to clients because proxyarp only works if there is host route to client.
leftupdown="ipsec _updown.netkey --route yes"
Or use leftsourceip=<gateway-lan-ip>.
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
