Re: [Swan] What's a "usable" IP?

Thu, 21 Sep 2017 06:31:37 -0700 

On Thu, 21 Sep 2017, Whit Blauvelt wrote:


Your suggestion:


conn amazonwest
        left=%defaultroute
        leftsunet=DD.EE.FF.245/32
        leftsourceip=DD.EE.FF.245
        leftid="DD.EE.FF.245"
        right=AA.BB.CC.108
        rightid="AA.BB.CC.108"
        auto=start


cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:11: syntax error,
unexpected STRING [leftsunet]


should have been "leftsubnet"


If I take line out that out I get back to:

 Sep 21 09:10:13 nyfw1 pluto[32739]: "amazonwest": We cannot identify
 ourselves with either end of this connection. AA.BB.CC.108 or
 AA.BB.CC.102 are not usable


I dont understand how that connection can say AA.BB.CC.102 is not
usable, because it does not appear in the configuration. Anything
learned from %defaultroute should per definition appear as IP
on the machine and there is "available". Do you have a listen=
line that specifies a different IP? Specifying listen= will cause
pluto to ONLY consider that IP address, and any discovery via
a %defaultroute not ending up on that IP will become "unusuable"
because it is not listening on that IP.


ip addr ls:

5: enp2s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group 
default qlen 1000
   link/ether a0:36:9f:a6:f8:51 brd ff:ff:ff:ff:ff:ff
   inet AA.BB.CC.102/27 brd AA.BB.CC.127 scope global enp2s0f1
      valid_lft forever preferred_lft forever
   inet AA.BB.CC.108/32 scope global enp2s0f1
      valid_lft forever preferred_lft forever


If this does not have your default route, then you will need to specify
left=AA.BB.CC.102 assuming this output above comes from that end and
not the remote end.


We're really back to: What is the logic that declares public IPs which are
on the local system and perfectly functional "not usable"? I'm suspecting
that libreswan is doing some sort of simple-minded analysis of routing
tables; this system, having multiple interfaces, has multiple tables.


If you use %defaultroute, it will ask the kernel what source ip would be
used to reach in resolve_defaultroute_one() in programs/addconn/addconn.c
That should basicaly be the same as running "ping AA.BB.CC.108". But
since you show a network of AA.BB.CC.102/27 it would pick that IP.

I am still very confused about your network and your setup. I don't
think I can be of further help looking at half anonimized logs or
output or partial configs.

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to