Project

General

Profile

Feature #380

Updated by Tobias Brunner over 5 years ago

When using the new kernel-libipsec plugin on a openvz vps I run into problems with /32 remote subnets being unsupported. It can be solved by first disabling the checks in kernel_libipsec_ipsec.c.

<pre><code class="diff">
diff --git a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c b/src
index 40f253d..5e2e1dc 100644
--- a/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
+++ b/src/libcharon/plugins/kernel_libipsec/kernel_libipsec_ipsec.c
@@ -464,6 +464,7 @@ static bool install_route(private_kernel_libipsec_ipsec_t *t
policy->route = NULL;
}

+#if 0
if (dst_ts->is_host(dst_ts, dst))
{
DBG1(DBG_KNL, "can't install route for %R === %R %N, conflicts w
@@ -479,6 +480,7 @@ static bool install_route(private_kernel_libipsec_ipsec_t *t
/* add exclude route for peer */
add_exclude_route(this, route, src, dst);
}
+#endif

DBG2(DBG_KNL, "installing route: %R src %H dev %s",
dst_ts, route->src_ip, route->if_name);
</code></pre>


Then I changed the ip rule to only have effect if a mark is set:

policy from all fwmark 0x4/0x4 lookup 220

On this server I only marked packets in the mangle OUTPUT chain since it isn't a VPN gateway/router. (A gateway also need to mark packets on PREROUTING.)

<pre>
Chain OUTPUT (policy ACCEPT 309 packets, 38910 bytes)
pkts bytes target prot opt in out source destination
271 38404 MARK !udp -- * * 0.0.0.0/0 0.0.0.0/0 MARK set 0x4
81 5390 MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:!4500 MARK set 0x4
</pre>

Back