Thanks Felipe! I had checked that out in the past and there are no values that are set that could be used in in the script for the same effect (the static side tunnel endpoint address).
There are two things I am wondering at this point: Getting this working probably has something to do with the code in https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ike_sa.c;h=3d576a0e89a67b6e76e636ed744e88bdbec3a551;hb=HEAD#l948-979 <https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/sa/ike_sa.c;h=3d576a0e89a67b6e76e636ed744e88bdbec3a551;hb=HEAD#l948-979>. As I have seen an error where “site-1-static-ip has both left- and rightsourceip, but IKE can negotiate one virtual IP only, ignoring local virtual IP”, I clearly need to specify the leftsourceip on the static side. But the IP is no longer virtual in that case. And when it is no longer virtual, the code at https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/plugins/updown/updown_listener.c;h=bbefd6a027ceca473da327939da2f70aced887c6;hb=HEAD#l182 <https://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/plugins/updown/updown_listener.c;h=bbefd6a027ceca473da327939da2f70aced887c6;hb=HEAD#l182> never finds it. Alternatively, maybe I should drop this idea of using Strongswan setting up VTIs. Maybe Bird can deal with tunnels that do not have VTIs and I just don’t understand that construction. I am worried that I will also lose future compatibility with VTI-capable routers (like Cisco et al) if I go with #2. I don’t have any present need for doing so, but if I did, converting everything would be a lot of tears. It seems like what I am trying to do in #1 is not possible given that addresses pushed through the updown plugin can only read from IPs found in ike_sa_t->my_vips. Brian > On Mar 2, 2019, at 8:22 AM, Felipe Arturo Polanco <[email protected]> > wrote: > > You can extract the env variables information by using the "set" command, use > a temporary updown script that has the following "set > /tmp/output", after > establishing the connection, check that output file both in initiator and > responder and see if the values are as expected, if they are, try to > reproduce the script by typing each command one by one in the console and see > its behavior. > > Remember to disable the updown script in strongswan when running it manually. > > Sent from mobile. > > On Sat, Mar 2, 2019, 2:22 AM Brian Topping <[email protected] > <mailto:[email protected]>> wrote: > Hi Felipe, > > That use of `left|rightsubnet` was a huge help. > > In an effort to automate the address assignment for a larger network (same > theme as the OSPF), I’ve been using the `leftupdown` script in > https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Connection-specific-VTI-Devices > > <https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Connection-specific-VTI-Devices>. > > > So I’ve updated it as shown: > >> ============================= >> Dynamic: >> conn site-2-dynamic-ip > mark=%unique >> left=%defaultroute > leftsourceip=%config4 >> leftsubnet=10.10.0.0/22,10.9.255.252/30 >> <http://10.10.0.0/22,10.9.255.252/30> >> leftfirewall=no > leftupdown=/etc/strongswan.d/ipsec-vti.sh > right=st.at.ic.ip >> rightsubnet=10.10.4.0/22,10.9.255.252/30 >> <http://10.10.4.0/22,10.9.255.252/30> >> rightid=%specific.example.com <http://specific.example.com/> >> auto=add >> >> Static: >> conn site-1-static-ip > mark=%unique >> left=st.at.ic.ip >> leftsubnet=10.10.4.0/22,10.9.255.252/30 >> <http://10.10.4.0/22,10.9.255.252/30> >> leftid=%specific.example.com <http://specific.example.com/> >> leftfirewall=no > leftsourceip=10.9.255.253 > leftupdown=/etc/strongswan/ipsec-vti.sh >> right=%any > rightsourceip=10.9.255.254 >> rightsubnet=10.10.0.0/22,10.9.255.252/30 >> <http://10.10.0.0/22,10.9.255.252/30> >> auto=add >> =============================== > > With this configuration, I get full SA and IKE negotiation including TS and > dynamic side tunnel configuration: > >> root@dynamic:/# ip a show vti1 >> 49: vti1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1472 qdisc noqueue state >> UNKNOWN group default qlen 1000 >> link/ipip dy.na.mi.cip peer st.at.ic.ip >> inet 10.9.255.254/32 <http://10.9.255.254/32> scope global vti1 >> valid_lft forever preferred_lft forever > > On the static side, I get an error from the script: >> 04[CHD] updown: /etc/strongswan/ipsec-vti.sh: line 15: PLUTO_MY_SOURCEIP: >> unbound variable > > I initially had the same problem on the dynamic side, but the addition of > `leftsourceip=%config4` and `rightsourceip` on the static side resolved that. > > Is there something I am missing to avoid the "PLUTO_MY_SOURCEIP: unbound > variable” problem? > > Thanks so much for your insight!
