Project

General

Profile

Issue #3506

Leftupdown - Leftsubnet

Added by Alf Stun about 1 month ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.6.3
Resolution:

Description

Hello All,

I have two leftsubnet configured into my ipsec.conf. (leftsubnet=range1,range2)
With this configuration, the Lefupdown script is launched two times in parallel (one time for range 1 and second one for range 2).
Is there a means to catch the subnet into the script and execute different iptables rules if I am into range 1 or range 2)

Many thanks by advance,
Best Regards.

History

#1 Updated by Tobias Brunner about 1 month ago

  • Category changed from pluto to configuration
  • Status changed from New to Feedback

I have two leftsubnet configured into my ipsec.conf. (leftsubnet=range1,range2)
With this configuration, the Lefupdown script is launched two times in parallel (one time for range 1 and second one for range 2).
Is there a means to catch the subnet into the script and execute different iptables rules if I am into range 1 or range 2)

It's a script, so you can do whatever you like with the values passed to the script.

#2 Updated by Alf Stun about 1 month ago

Thank you.
The question is more: how can I catch the values related to the lefsubnet into my script (range1 or range2) or how can I manage iptables rules only once time with two leftsubnets (knowing that the script is laucnhed two times in parallel).

Many thanks.

#3 Updated by Tobias Brunner about 1 month ago

The question is more: how can I catch the values related to the lefsubnet into my script (range1 or range2)

What do you mean? The local traffic selector is passed in PLUTO_MY_CLIENT.

or how can I manage iptables rules only once time with two leftsubnets (knowing that the script is laucnhed two times in parallel

It won't be started in parallel (at least not if you have a single CHILD_SA with multiple traffic selectors). And it will be called with different values (different local traffic selectors) each time.

If you prefer only one call per CHILD_SA (with all traffic selectors) then use the vici child-updown event.

#4 Updated by Alf Stun about 1 month ago

Thank you.
I will try to add more information.

here is my ipsec status

Connector[1]: ESTABLISHED 47 seconds ago, IP1[PARTA]...IP2[TEST.PARTB]
Connector{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 65156ca_i c245159842_o
Connector{1}:   range1 range2 === IP

range1 and range2 are configured in my ipsec.conf as follow:
lefsubnet=range1,range2

with this configuration, the lefupdown is launched two times (one for range1 and one for range2).
If I cut the range2, so the leftupdown is launched only one time but it is not my use case.

And I don't how can I manage the situation that the script behind leftupdown is laucnhed two times.
So I tried to catch a pluto variable to identify the range (1 or 2) and make different action (iptables rules).

but into the pluto variables I don't have range information:

PLUTO_VERSION
PLUTO_VERB
PLUTO_CONNECTION
PLUTO_NEXT_HOP
PLUTO_INTERFACE
PLUTO_ME
PLUTO_MY_CLIENT
PLUTO_MY_CLIENT_NET
PLUTO_MY_CLIENT_MASK
PLUTO_PEER
PLUTO_PEER_CLIENT
PLUTO_PEER_CLIENT_NET
PLUTO_PEER_CLIENT_MASK
PLUTO_MY_PROTOCOL
PLUTO_PEER_PROTOCOL
PLUTO_MY_PORT
PLUTO_PEER_PORT
PLUTO_MY_ID
PLUTO_PEER_ID
PLUTO_PEER_CA

In fact I would like to do something like:
(into lefupdown script)

up-client
if "variable"=range1 then
iptables xxxxxxx
elif "variable"=range2 then
iptables yyyyy
fi

but I don't know how can I catch "variable"

I hope it is more clear, if not don't hesitate to tell me,
Best regards.

#5 Updated by Tobias Brunner about 1 month ago

but into the pluto variables I don't have range information:

Didn't you read the documentation, which refers to the beginning of the default script for a description of the passed variables (see source:src/_updown/_updown.in)?

Also, where did you get that list of variables? Many are not applicable to strongSwan's updown plugin.

#6 Updated by Alf Stun about 1 month ago

finally it works with PLUTO_MY_CLIENT.

Many thanks for your support.

Also available in: Atom PDF