Project

General

Profile

Issue #2243

problem with routes in table 220, I lost my /32 proto/port injections

Added by Oleksandr Yermolenko over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
dr|rc|master
Resolution:
No change required

Description

Hi,

client: strongSwan U5.4.0/K2.6.32-642.13.1.el6.x86_64

ipsec status
Security Associations (4 up, 0 connecting):
         dc1[4]: ESTABLISHED 101 minutes ago, 172.16.0.136[ID12345@service.vpn]...70.167.153.58[nvp10-1.company.com]
         dc1{11}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: ca6c97f4_i cd2b5cb6_o
         dc1{11}:   10.51.255.253/32 === 10.51.1.11/32[udp/domain] 10.51.1.20/32[tcp/http] 10.51.1.20/32[tcp/https] 10.51.1.27/32 10.51.1.157/32 10.51.1.167/32[tcp/webcache]
       dc2[3]: ESTABLISHED 101 minutes ago, 172.16.0.136[ID12345@service.vpn]...98.174.130.56[nvp10-2.company.com]
       dc2{12}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3ef2eda_i cb4b06ac_o
       dc2{12}:   10.50.255.253/32 === 10.50.1.11/32[udp/domain] 10.50.3.20/32[tcp/http] 10.50.3.20/32[tcp/https] 10.50.3.157/32 10.50.3.167/32[tcp/webcache]
        dc3[2]: ESTABLISHED 101 minutes ago, 172.16.0.136[ID12345@service.vpn]...88.198.234.228[vpn10.dc3.crp]
        dc3{9}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: cccdc7a8_i cb4f102e_o
        dc3{9}:   10.31.255.253/32 === 10.31.1.11/32[udp/domain] 10.31.1.20/32[tcp/http] 10.31.1.20/32[tcp/https] 10.31.1.42/32 10.31.1.157/32 10.31.1.167/32[tcp/webcache]
       dc4[1]: ESTABLISHED 101 minutes ago, 172.16.0.136[ID12345@service.vpn]...193.110.184.34[nvp10-4.company.com]
       dc4{10}:  INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: c2c6e721_i cd422983_o
       dc4{10}:   10.20.255.253/32 === 10.20.1.11/32[udp/domain] 10.20.1.20/32[tcp/http] 10.20.1.20/32[tcp/https] 10.20.1.157/32 10.20.1.167/32[tcp/webcache]

ip route show table 220
10.20.1.20 via 172.16.0.1 dev eth0  proto static  src 10.20.255.253 
10.31.1.167 via 172.16.0.1 dev eth0  proto static  src 10.31.255.253 
10.51.1.157 via 172.16.0.1 dev eth0  proto static  src 10.51.255.253 
10.50.1.11 via 172.16.0.1 dev eth0  proto static  src 10.50.255.253 
10.51.1.27 via 172.16.0.1 dev eth0  proto static  src 10.51.255.253 
10.51.1.11 via 172.16.0.1 dev eth0  proto static  src 10.51.255.253 
10.50.3.157 via 172.16.0.1 dev eth0  proto static  src 10.50.255.253 
10.20.1.167 via 172.16.0.1 dev eth0  proto static  src 10.20.255.253 
10.31.1.20 via 172.16.0.1 dev eth0  proto static  src 10.31.255.253 
10.50.3.167 via 172.16.0.1 dev eth0  proto static  src 10.50.255.253 
10.31.1.42 via 172.16.0.1 dev eth0  proto static  src 10.31.255.253 
10.31.1.11 via 172.16.0.1 dev eth0  proto static  src 10.31.255.253 
10.51.1.167 via 172.16.0.1 dev eth0  proto static  src 10.51.255.253 
10.31.1.157 via 172.16.0.1 dev eth0  proto static  src 10.31.255.253 
10.51.1.20 via 172.16.0.1 dev eth0  proto static  src 10.51.255.253 
10.20.1.157 via 172.16.0.1 dev eth0  proto static  src 10.20.255.253 
10.50.3.20 via 172.16.0.1 dev eth0  proto static  src 10.50.255.253 
10.20.1.11 via 172.16.0.1 dev eth0  proto static  src 10.20.255.25

################################################
strongswan client: 5.5.2dr4

ipsec status
Security Associations (4 up, 0 connecting):
         dc1[4]: ESTABLISHED 3 minutes ago, 172.16.0.136[ID12345@service.vpn]...70.167.153.58[nvp10-1.company.com]
         dc1{2}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c636c491_i c7d7cdbf_o
         dc1{2}:   10.51.255.253/32 === 10.51.1.11/32[udp/domain] 10.51.1.20/32[tcp/http] 10.51.1.20/32[tcp/https] 10.51.1.27/32 10.51.1.157/32 10.51.1.167/32[tcp/webcache]
       dc2[3]: ESTABLISHED 3 minutes ago, 172.16.0.136[ID12345@service.vpn]...98.174.130.56[nvp10-2.company.com]
       dc2{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ccba4a88_i c7f2696e_o
       dc2{1}:   10.50.255.253/32 === 10.50.1.11/32[udp/domain] 10.50.3.20/32[tcp/http] 10.50.3.20/32[tcp/https] 10.50.3.157/32 10.50.3.167/32[tcp/webcache]
        dc3[2]: ESTABLISHED 3 minutes ago, 172.16.0.136[ID12345@service.vpn]...88.198.234.228[vpn10.dc3.crp]
        dc3{3}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c4de39e3_i cf9bf2e0_o
        dc3{3}:   10.31.255.253/32 === 10.31.1.11/32[udp/domain] 10.31.1.20/32[tcp/http] 10.31.1.20/32[tcp/https] 10.31.1.42/32 10.31.1.157/32 10.31.1.167/32[tcp/webcache]
       dc4[1]: ESTABLISHED 3 minutes ago, 172.16.0.136[ID12345@service.vpn]...193.110.184.34[nvp10-4.company.com]
       dc4{4}:  INSTALLED, TUNNEL, reqid 4, ESP in UDP SPIs: cbdf0cc3_i ce91716c_o
       dc4{4}:   10.20.255.253/32 === 10.20.1.11/32[udp/domain] 10.20.1.20/32[tcp/http] 10.20.1.20/32[tcp/https] 10.20.1.157/32 10.20.1.167/32[tcp/webcache]

ip route show table 220
10.51.1.157 via 172.16.0.1 dev eth0  proto static  src 10.51.255.253 
10.51.1.27 via 172.16.0.1 dev eth0  proto static  src 10.51.255.253 
10.50.3.157 via 172.16.0.1 dev eth0  proto static  src 10.50.255.253 
10.31.1.42 via 172.16.0.1 dev eth0  proto static  src 10.31.255.253 
10.31.1.157 via 172.16.0.1 dev eth0  proto static  src 10.31.255.253 
10.20.1.157 via 172.16.0.1 dev eth0  proto static  src 10.20.255.253

I lost my /32 proto/port ...

back to 5.4.0 "restored" table 220

bug?

Oleksandr

History

#1 Updated by Tobias Brunner over 5 years ago

  • Description updated (diff)
  • Status changed from New to Feedback

bug?

No, that's on purpose. As routes for policies that specify ports and protocol will always be too broad they are not installed anymore since 5.5.0 (e7369a9dc5). I've explicitly added that to the changelog now.

#2 Updated by Noel Kuntze over 5 years ago

  • Status changed from Feedback to Closed
  • Resolution set to No change required

Also available in: Atom PDF