On Tue, Jan 28, 2020 at 01:19:17AM +0000, Stuart Henderson wrote:
> This at least needs documenting in current.html/upgrade67.html so that
> people aren't caught by surprise (it took me several days to figure
> out as I'd forgotten about this commit!) but this would be better if
> we can show a workaround for people affected by the change.
Agree, sorry for the inconvenience.
> I tried adding a 'type use' flow with ipsecctl but this failed with
> "writev failed: Invalid argument" (same if I removed the existing 'type
> require' flow first) - not sure if there's another way to do this.
>
> Workarounds on $myworkstation side (split horizon DNS, natting
> $myworkstation's non-tunnel traffic to $EXTERNAL_IP to another IP) are
> possible I suppose, but not very appealing. Does anyone have other ideas?
Something you could try is using a virtual interface with an IP from your
private range for the roadwarrior:
myworkstation_vpn = 10.71.0.255
hostname.vether0:
inet $myworkstation_vpn/18
iked.conf:
ikev2 esp from $myworkstation_vpn to 10.71.0.0/18 \
local $myworkstation peer $EXTERNAL_IP \
...
