On Fri, Sep 30, 2011 at 1:52 PM, Diego Woitasen <[email protected]> wrote: > On Fri, Sep 30, 2011 at 8:12 AM, Diego Woitasen <[email protected]> wrote: >> Hi, >> I have the configure below. I don't know why Charon doesn't set the >> routes after SA establishment. It's a net-to-net tunnel and works >> perfectly for hosts behind the gateway but if I want to connect from >> one of the gateways to a host behind the peer I have to configure the >> route with "src" manually. In the IRC someone told me that Charon set >> the "src" in the route if it detects that one of the >> [left|right]subnet matches the IP if one of the interfaces. >> >> ipsec.conf: >> config setup >> crlcheckinterval=30 >> cachecrls=yes >> strictcrlpolicy=no >> plutostart=no >> hidetos=no >> charondebug="knl 1" >> >> conn %default >> ikelifetime=8h >> lifetime=8h >> rekeymargin=10m >> keyingtries=3 >> keyexchange=ikev2 >> mobike=yes >> dpddelay=5 >> dpdaction=clear >> authby=rsasig >> auto=add >> ike=aes128-sha1-modp2048! >> esp=aes128-sha1-modp2048! >> leftsubnet=10.0.0.0/8 >> right=%defaultroute >> [email protected] >> rightcert=nodo668-cert.pem >> rightsubnet=10.12.160.0/24 >> compress=yes >> >> conn LabMPLS-drago >> left=172.16.1.129 >> [email protected] >> >> conn Lab2MPLS-vera >> left=172.19.1.130 >> [email protected] >> right=172.19.1.1 >> rightsubnet=10.22.160.0/24 >> >> conn LabMPLS-drago-voip >> left=172.16.1.129 >> [email protected] >> leftsubnet=10.87.0.0/16 >> rightsubnet=10.12.160.168/29 >> esp=null-sha1-modp2048! >> compress=no >> >> conn Lab2MPLS-vera-voip >> left=172.19.1.130 >> [email protected] >> leftsubnet=10.87.0.0/16 >> right=172.19.1.1 >> rightsubnet=10.22.160.168/29 >> esp=null-sha1-modp2048! >> compress=no >> >> strongswan.conf: >> >> charon { >> >> # number of worker threads in charon >> threads = 16 >> >> # send strongswan vendor ID? >> # send_vendor_id = yes >> >> retransmit_timeout = 1 >> retransmit_base = 1.8 >> retransmit_tries = 4 >> install_routes = yes #I know that yes is the default, but I tried >> this anyway >> >> plugins { >> >> sql { >> # loglevel to log into sql database >> loglevel = -1 >> >> # URI to the database >> # database = sqlite:///path/to/file.db >> # database = mysql://user:password@localhost/database >> } >> } >> >> # ... >> } >> >> pluto { >> >> } >> >> libstrongswan { >> >> # set to no, the DH exponent size is optimized >> # dh_exponent_ansi_x9_42 = no >> } >> >> ip addr show: >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> inet 127.0.0.1/8 scope host lo >> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast >> state UP qlen 1000 >> link/ether 00:16:3e:9e:5f:51 brd ff:ff:ff:ff:ff:ff >> inet 10.12.160.254/24 brd 10.12.160.255 scope global eth0 >> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast >> state UP qlen 1000 >> link/ether 00:16:3e:9e:5f:52 brd ff:ff:ff:ff:ff:ff >> inet 172.16.1.1/25 brd 172.16.1.127 scope global eth1 >> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast >> state UP qlen 1000 >> link/ether 00:16:3e:9e:6f:52 brd ff:ff:ff:ff:ff:ff >> inet 172.19.1.1/25 brd 172.19.1.127 scope global eth2 >> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 >> link/ether 00:16:3e:9e:7f:52 brd ff:ff:ff:ff:ff:f >> >> ip route show: >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> inet 127.0.0.1/8 scope host lo >> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast >> state UP qlen 1000 >> link/ether 00:16:3e:9e:5f:51 brd ff:ff:ff:ff:ff:ff >> inet 10.12.160.254/24 brd 10.12.160.255 scope global eth0 >> 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast >> state UP qlen 1000 >> link/ether 00:16:3e:9e:5f:52 brd ff:ff:ff:ff:ff:ff >> inet 172.16.1.1/25 brd 172.16.1.127 scope global eth1 >> 4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast >> state UP qlen 1000 >> link/ether 00:16:3e:9e:6f:52 brd ff:ff:ff:ff:ff:ff >> inet 172.19.1.1/25 brd 172.19.1.127 scope global eth2 >> 5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000 >> link/ether 00:16:3e:9e:7f:52 brd ff:ff:ff:ff:ff:f >> >> ip route show table 220: >> [empty] >> >> >> >> Regards, >> Diego >> -- >> Diego Woitasen >> > > Having a look at the code I discovered that Charon sets > mode=MODE_TRANSPORT is IP_COMP is used. Why? It doesn't have any sense > for me. > > And if there is a good reason, Charon should consider this situation > to set the routers anyway. > > Shall I report a bug? > > Regards, > Diego > > -- > Diego Woitasen >
I forgot to clarify that route is inserted if compress=no. In kernel_netlink_ipsec.c add_policy methed, the code checks if mode != MODE_TRANSPORT to insert to route. Regards, Diego -- Diego Woitasen _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
