Andreas, I found the $PLUTO_MY_SOURCEIP is empty after the IPSec SA is established successfully. I want to get the virtual IP by this env that this will introduce greate convenience to my application coding.
[r...@localhost etc]# ipsec up home initiating IKE_SA home[1] to 135.252.130.87 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 135.252.131.87[500] to 135.252.130.87[500] received packet: from 135.252.130.87[500] to 135.252.131.87[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] received cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" sending cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" authentication of 'moon.strongswan.org' (myself) with RSA signature successful sending end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com" establishing CHILD_SA home generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] sending packet: from 135.252.131.87[4500] to 135.252.130.87[4500] received packet: from 135.252.130.87[4500] to 135.252.131.87[4500] parsed IKE_AUTH response 1 [ IDr CERT AUTH CP SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] received end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com" using certificate "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com" using trusted ca certificate "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" checking certificate status of "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com" certificate status is not available authentication of 'sun.strongswan.org' with RSA signature successful scheduling reauthentication in 3413s maximum IKE_SA lifetime 3593s IKE_SA home[1] established between 135.252.131.87[moon.strongswan.org]...135.252.130.87[sun.strongswan.org] installing new virtual IP 10.3.0.1 [r...@localhost etc]# echo $PLUTO_MY_SOURCEIP [r...@localhost etc]# cd /usr/local/ Charon log in messages Aug 29 09:21:57 localhost charon: 09[CFG] received stroke: initiate 'home' Aug 29 09:21:57 localhost charon: 12[IKE] initiating IKE_SA home[1] to 135.252.130.87 Aug 29 09:21:57 localhost charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Aug 29 09:21:57 localhost charon: 12[NET] sending packet: from 135.252.131.87[500] to 135.252.130.87[500] Aug 29 09:21:57 localhost charon: 13[NET] received packet: from 135.252.130.87[500] to 135.252.131.87[500] Aug 29 09:21:57 localhost charon: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Aug 29 09:21:57 localhost charon: 13[IKE] received cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" Aug 29 09:21:57 localhost charon: 13[IKE] sending cert request for "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" Aug 29 09:21:57 localhost charon: 13[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful Aug 29 09:21:57 localhost charon: 13[IKE] sending end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, CN=moon.strongswan.org, e=m...@alcatel-lucent.com" Aug 29 09:21:57 localhost charon: 13[IKE] establishing CHILD_SA home Aug 29 09:21:57 localhost charon: 13[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) ] Aug 29 09:21:57 localhost charon: 13[NET] sending packet: from 135.252.131.87[4500] to 135.252.130.87[4500] Aug 29 09:21:57 localhost charon: 14[NET] received packet: from 135.252.130.87[4500] to 135.252.131.87[4500] Aug 29 09:21:57 localhost charon: 14[ENC] received end entity cert "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com" D_ug 29 09:21:57 localhost charon: 14[CFG] using certificate "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com" Aug 29 09:21:57 localhost charon: 14[IKE] using trusted ca certificate "C=CN, ST=Shandong, L=QD, O=ALU, OU=RD, CN=Roger Zhang, e=zha...@alcatel-lucent.com" Aug 29 09:21:57 localhost charon: 14[CFG] checking certificate status of "C=CN, ST=Shandong, O=ALU, OU=RD, CN=sun.strongswan.org, e=...@alcatel-lucent.com" Aug 29 09:21:57 localhost charon: 14[CFG] certificate status is not available Aug 29 09:21:57 localhost charon: 14[CFG] authentication of 'sun.strongswan.org' with RSA signature successful Aug 29 09:21:57 localhost charon: 14[CFG] scheduling reauthentication in 3413s Aug 29 09:21:57 localhost charon: 14[IKE] maximum IKE_SA lifetime 3593s Aug 29 09:21:57 localhost charon: 14[IKE] IKE_SA home[1] established between 135.252.131.87[moon.strongswan.org]...135.252.130.87[sun.strongswan.org] Aug 29 09:21:57 localhost charon: 14[IKE] installing new virtual IP 10.3.0.1 Thanks, Roger > -----Original Message----- > From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] > Sent: Thursday, August 27, 2009 4:37 PM > To: Zhang, Long (Roger) > Cc: users@lists.strongswan.org > Subject: Re: [strongSwan] get inner virtual IP > > Hi Roger, > > the assigned virtual IP Address is available in the environmental > variable $PLUTO_MY_SOURCEIP in the /usr/libexec/ipsec/_updown script > which is called by the charon daemon after the IPsec SA has been > established successfully. You could adapt the _updown script so that > it communicates the virtual IP address to your application. > > Alternatively your application could call the system command > > ip addr list dev eth0 > > and extract the virtual IP assigned to the physical interface. > > Regards > > Andreas > > Zhang, Long (Roger) wrote: > > Hi, > > > > I have tried the IKEV2 config-payload example as > http://www.strongswan.org/uml/testresults43/ikev2/config-payload/ > successfully. > > > > I want to get the inner virtual IP address that are assigned by config- > payload for later use in my application by SHELL command or TCL. Is there > an easy way to get it? Currently I can only see it by "ipsec status home" > and check the last line. This is easy for manual, but not easy for code to > get it accurate. So I want to ask if there is an easy and accurate way to > get it? > > > > [r...@localhost etc]# ipsec statusall home > > Status of IKEv2 charon daemon (strongSwan 4.3.4): > > uptime: 28 minutes, since Aug 28 14:57:39 2009 > > worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3 > > loaded plugins: aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc > stroke kernel-netlink updown resolv-conf > > Listening IP addresses: > > 135.252.131.87 > > Connections: > > home: 135.252.131.87...135.252.130.87 > > home: local: [moon.strongswan.org] uses public key > authentication > > home: cert: "C=CN, ST=Shandong, O=ALU, OU=RD, > CN=moon.strongswan.org, e=m...@alcatel-lucent.com" > > home: remote: [sun.strongswan.org] uses any authentication > > home: child: dynamic === 10.1.0.0/16 > > Security Associations: > > home[1]: ESTABLISHED 27 minutes ago, > 135.252.131.87[moon.strongswan.org]...135.252.130.87[sun.strongswan.org] > > home[1]: IKE SPIs: 69208f149b5fab33_i* ca28924955c169b3_r, > public key reauthentication in 23 minutes > > home[1]: IKE proposal: > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > > home{1}: INSTALLED, TUNNEL, ESP SPIs: caf62dcc_i ccae8f3e_o > > home{1}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, > rekeying in 3 minutes > > home{1}: 10.3.0.1/32 === 10.1.0.0/16 > > > > Thanks, > > Roger > > ====================================================================== > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Linux VPN Solution! www.strongswan.org > > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
