Re: [strongSwan] Fwd: Guidance on split-exclude when using Unity plugin

Tue, 05 Feb 2013 02:14:23 -0800 

Hi,

> a] that my www.2600.com experiment is a valid one and that my
> expectations are correct 

It is, but I don't think it is possible to get Split-Exclude working
with iOS.

> b] if you saw anything meaningful/useful in the log output I provided.

> Shunted Connections:
> Unity (ios[1]: 207.99.30.226/32):  10.0.0.1/32 === 207.99.30.226/32 PASS

The problem seems to be that we install the bypass policy using the
virtual IP. This does not make a lot of sense, at least for this kind of
setup.

Instead, we should install the bypass policy between the local 192.*
address and 2600.com. You may try to experiment with the completely
untested patch attached. I don't know if we need some changes to route
installation, alternatively you can try to force the local source
address in your application for testing (ping -I or so). I'll have to
take a closer look to this when I find some time.

Regards
Martin


diff --git a/src/libcharon/plugins/unity/unity_handler.c b/src/libcharon/plugins/unity/unity_handler.c
index 31d13ad..dded248 100644
--- a/src/libcharon/plugins/unity/unity_handler.c
+++ b/src/libcharon/plugins/unity/unity_handler.c
@@ -187,14 +187,14 @@ static job_requeue_t add_exclude_async(entry_t *entry)
 									 FALSE, 0, 0, NULL, NULL, FALSE);
 		child_cfg->add_traffic_selector(child_cfg, FALSE,
 										entry->ts->clone(entry->ts));
-		enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
-		while (enumerator->enumerate(enumerator, &host))
-		{
-			has_vip = TRUE;
-			child_cfg->add_traffic_selector(child_cfg, TRUE,
-				traffic_selector_create_from_subnet(host->clone(host), 32, 0, 0));
-		}
-		enumerator->destroy(enumerator);
+		//enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
+		//while (enumerator->enumerate(enumerator, &host))
+		//{
+		//	has_vip = TRUE;
+		//	child_cfg->add_traffic_selector(child_cfg, TRUE,
+		//		traffic_selector_create_from_subnet(host->clone(host), 32, 0, 0));
+		//}
+		//enumerator->destroy(enumerator);
 
 		if (!has_vip)
 		{

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to