[prev in list] [next in list] [prev in thread] [next in thread]
List: libreswan
Subject: Re: [Swan] Roadwarriors Setup With Routing
From: Nirvana <nirvana21 () gmail ! com>
Date: 2017-11-01 12:22:44
Message-ID: CAMOMKLbE-70myT+aaxZvy4xyAiKEDDpjgQXftLZfSt=6jEhvVA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Tue, Oct 31, 2017 at 8:43 AM, Paul Wouters <paul@nohats.ca> wrote:
> On Tue, 31 Oct 2017, Nirvana wrote:
>
> Or you can set up one for 0.0.0.0/0 on the server, install firewall
>> rules
>> there to limit traffic to the three networks, and give the client a
>> custom
>> leftupdown= script that only routes those 3 subnets into the single
>> VTI
>> device.
>>
>
> Thanks for the response! I am doing what you suggested (0.0.0.0/0 on
>> server and adding routes for VTI interface) and it appears to be working.
>> For instance I am able to add a functioning
>> route using: ip r a 192.168.2.0/24 dev vti9 scope link src 192.168.9.12
>>
>> However if I try to add routes using an updown script I am having an
>> issue where vti9 isn't up yet so I can't add the routes yet. Below is how I
>> was able to test that.
>>
>> In the client config I added: leftupdown=/etc/ipsec.updown
>>
>
> Did you copy the _updown.netkey script and make your additions to that
> script? You still need the real updown script because that is the
> script that actually creates the vti device.
>
> and created that executable shell script with the following contents:
>> ip a
>> exit 0
>>
>
> Is that a copy paste error? Because I see no script. But you really need
> to take _updown.netkey and _add_ your custom things to that script.
>
> Paul
>
Excellent, I wasn't aware of the _updown.netkey script and some of the
variables in it like VTI_IFACE which aren't in the ipsec_pluto man page on
my release. I was able to add/remove my routes under the
up-client/down-client case. Now my current issue is pushing my DNS
information. In the _updown.netkey script under the updateresolvconf
function it has a conditional checking for the if the shell variables
PLUTO_PEER_DNS_INFO or PLUTO_PEER_DOMAIN_INFO are zero length. It appears
that both of these variables come from the shell environment via some other
means. PLUTO_PEER_DNS_INFO is getting populated but PLUTO_PEER_DOMAIN_INFO
does not so the resolv.conf is not being altered.
On the responder I have these directives:
rightxauthclient=yes
rightmodecfgclient=yes
leftxauthserver=yes
leftmodecfgserver=yes
modecfgdns1=192.168.2.100
modecfgdomain=domain.tldr
On the initiator I have it set to be the client. In this configuration
PLUTO_PEER_DOMAIN_INFO doesn't get set. However if I set modecfgdomain on
the client everything works. According to the ipsec.conf man page
modecfgdomain on the client is the default but is overridden if the server
provides something else but it looks like the server is not providing that
domain.
[Attachment #5 (text/html)]
<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct \
31, 2017 at 8:43 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" \
target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><span class="gmail-">On Tue, 31 Oct 2017, Nirvana \
wrote:<br> <br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex">
Or you can set up one for <a href="http://0.0.0.0/0" rel="noreferrer" \
target="_blank">0.0.0.0/0</a> on the server, install firewall \
rules<br>
there to limit traffic to the three networks, and give the client a \
custom<br>
leftupdown= script that only routes those 3 subnets into the single VTI<br>
device.<br>
</blockquote>
<br>
</span><span class="gmail-"><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Thanks for the \
response! I am doing what you suggested (<a href="http://0.0.0.0/0" rel="noreferrer" \
target="_blank">0.0.0.0/0</a> on server and adding routes for VTI interface) and it \
appears to be working. For instance I am able to add a functioning<br> route using: \
ip r a <a href="http://192.168.2.0/24" rel="noreferrer" \
target="_blank">192.168.2.0/24</a> dev vti9 scope link src 192.168.9.12<br> <br>
However if I try to add routes using an updown script I am having an issue where vti9 \
isn't up yet so I can't add the routes yet. Below is how I was able to test \
that.<br> <br>
In the client config I added: leftupdown=/etc/ipsec.updown<br>
</blockquote>
<br></span>
Did you copy the _updown.netkey script and make your additions to that<br>
script? You still need the real updown script because that is the<br>
script that actually creates the vti device.<span class="gmail-"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"> and created that executable shell script with the \
following contents:<br> ip a<br>
exit 0<br>
</blockquote>
<br></span>
Is that a copy paste error? Because I see no script. But you really need<br>
to take _updown.netkey and _add_ your custom things to that script.<span \
class="gmail-HOEnZb"><font color="#888888"><br> <br>
Paul<br>
</font></span></blockquote></div><br></div><div class="gmail_extra">Excellent, I \
wasn't aware of the _updown.netkey script and some of the variables in it like \
VTI_IFACE which aren't in the ipsec_pluto man page on my release. I was able to \
add/remove my routes under the up-client/down-client case. Now my current issue is \
pushing my DNS information. In the _updown.netkey script under the updateresolvconf \
function it has a conditional checking for the if the shell variables \
PLUTO_PEER_DNS_INFO or PLUTO_PEER_DOMAIN_INFO are zero length. It appears that both \
of these variables come from the shell environment via some other means. \
PLUTO_PEER_DNS_INFO is getting populated but PLUTO_PEER_DOMAIN_INFO does not so the \
resolv.conf is not being altered. <br><br>On the responder I have these \
directives:<br><br> rightxauthclient=yes<br> \
rightmodecfgclient=yes<br> leftxauthserver=yes<br> \
leftmodecfgserver=yes<br> modecfgdns1=192.168.2.100<br> \
modecfgdomain=domain.tldr<br><br></div><div class="gmail_extra">On the initiator I \
have it set to be the client. In this configuration PLUTO_PEER_DOMAIN_INFO \
doesn't get set. However if I set modecfgdomain on the client everything works. \
According to the ipsec.conf man page modecfgdomain on the client is the default but \
is overridden if the server provides something else but it looks like the server is \
not providing that domain.<br><br><br></div></div>
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic