Re: [strongSwan] [EDIT] Traffic selection problems

Fri, 01 Mar 2019 22:24:08 -0800 

Hi Felipe,

That use of `left|rightsubnet` was a huge help.

In an effort to automate the address assignment for a larger network (same 
theme as the OSPF), I’ve been using the `leftupdown` script in 
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Connection-specific-VTI-Devices
 
<https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Connection-specific-VTI-Devices>.
 

So I’ve updated it as shown:

> =============================
> Dynamic:
> conn site-2-dynamic-ip
           mark=%unique
>       left=%defaultroute
           leftsourceip=%config4
>       leftsubnet=10.10.0.0/22,10.9.255.252/30 
> <http://10.10.0.0/22,10.9.255.252/30>
>       leftfirewall=no
           leftupdown=/etc/strongswan.d/ipsec-vti.sh
           right=st.at.ic.ip
>       rightsubnet=10.10.4.0/22,10.9.255.252/30 
> <http://10.10.4.0/22,10.9.255.252/30>
>       rightid=%specific.example.com <http://specific.example.com/>
>       auto=add
> 
> Static:
> conn site-1-static-ip
           mark=%unique
>       left=st.at.ic.ip
>       leftsubnet=10.10.4.0/22,10.9.255.252/30 
> <http://10.10.4.0/22,10.9.255.252/30>
>       leftid=%specific.example.com <http://specific.example.com/>
>       leftfirewall=no
           leftsourceip=10.9.255.253 
           leftupdown=/etc/strongswan/ipsec-vti.sh
>       right=%any
           rightsourceip=10.9.255.254
>       rightsubnet=10.10.0.0/22,10.9.255.252/30 
> <http://10.10.0.0/22,10.9.255.252/30>
>       auto=add
> ===============================

With this configuration, I get full SA and IKE negotiation including TS and 
dynamic side tunnel configuration:

> root@dynamic:/# ip a show vti1
> 49: vti1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1472 qdisc noqueue state 
> UNKNOWN group default qlen 1000
>     link/ipip dy.na.mi.cip peer st.at.ic.ip
>     inet 10.9.255.254/32 scope global vti1
>        valid_lft forever preferred_lft forever

On the static side, I get an error from the script:
> 04[CHD] updown: /etc/strongswan/ipsec-vti.sh: line 15: PLUTO_MY_SOURCEIP: 
> unbound variable

I initially had the same problem on the dynamic side, but the addition of 
`leftsourceip=%config4` and `rightsourceip` on the static side resolved that.

Is there something I am missing to avoid the "PLUTO_MY_SOURCEIP: unbound 
variable” problem?

Thanks so much for your insight!

Reply via email to