Project

General

Profile

Feature #2162

Updated by Tobias Brunner over 2 years ago

Hi,

I'm opening a ticket on the advice of Noel Kuntze on the mailing list. My client and server ipsec.confs are included at the end of the ticket.

I'm having what seems to be a similar problem as that described in ticket #85, but the IPsec connection is established fine - I just have routing problems.

I'm having trouble using auto=route with virtual IPs. My goal is to assign virtual IPs to many roadwarrior clients, which I want to connect to the VPN as soon as possible and remain connected as reliably as possible. I thought auto=route was the best way to achieve that.

When I use auto=add (or auto=start) I can get an IPsec connection, and traffic flows. After doing so, ip route list table 220 looks like this:

172.16.0.0/16 via 192.168.1.254 dev enxxx proto static src 172.16.0.3

However if I use auto=route (or run ipsec route and then ipsec up) I can't send traffic over the tunnel, and my table 220 looks like this:

172.16.0.0/16 via 192.168.1.254 dev eth0 proto static

So presumably traffic is being sent with the src set to my interface's real IP instead of the virtual one. If I remove the leftsubnet directive from the client config, I get a route with src explicitly set to my interface's real IP. I understand that when the route is initially created, there isn't enough information to create the correct route. But shouldn't the route be replaced by the correct one when the tunnel is established?

Thanks,
Alex

<pre>
# Gateway ipsec.conf

config setup
uniqueids=never
charondebug="cfg 4, dmn 4, ike 4, net 4"

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2

conn my-conn
left=%any
leftcert=my-server-cert.pem
leftid=my-server-fqdn.com
leftsubnet=172.16.0.0/16
leftauth=pubkey
leftfirewall=yes
right=%any
rightsourceip=172.16.0.0/16
auto=add
</pre>

<pre>


# Clients ipsec.conf

config setup

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2

conn my-conn
left=%any
leftsourceip=%config
leftcert=my-client-cert.pem
leftid=my-client-fqdn.com
leftsubnet=0.0.0.0/0 # Removing this gives a more explicitly incorrect route
leftfirewall=yes
right=my-server-fqdn.com
rightid=my-server-fqdn.com
rightsubnet=172.16.0.0/16
auto=add
</pre>

Back