Simon T
2018-10-03 11:50:13 UTC
Hi,
I'm using strongSwan 5.6.1 (Linux 4.14.29, x86_64) and see some
unexpected behavior when I add a tunnel where the subnet for my side
of the connection does not exist on any interface on my machine.
Strongswan (well, I'm pretty sure it's Strongswan) adds a /32 IP to my
loopback interface when bringing up the connection.
E.g. My side is 10.0.0.0/24, and when the tunnel comes up, I find lo
has 10.0.0.0/32 installed to it. Is it possible to disable this
behavior? I was thinking of using an updown script to delete it, but
want to know if there's a way to avoid it being installed in the first
place?
# ip addr show lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 10.0.0.0/32 scope global lo <------- This entry
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
# cat /etc/ipsec.conf
config setup
conn %default
ikelifetime=14400s
keylife=10800s
rekeymargin=600s
keyingtries=%forever
keyexchange=ikev2
authby=secret
ike=aes256-sha256-modp1536!
esp=aes256-sha256-modp1536!
closeaction=restart
conn tun
auto=start
forceencaps=yes
ikelifetime=14400s
keylife=10800s
left=10.33.1.93
leftfirewall=no
leftid=@tunleft
leftsubnet=10.0.0.0/24
rekeymargin=600s
right=10.55.2.18
rightfirewall=no
rightid=@tunright
rightsubnet=10.1.1.1/32
Most traffic routes fine across the tunnel -- it's just that the
10.0.0.0/24 network doesn't reside locally, instead it comes from
another source, with my server acting as an intermediary router. So
adding 10.0.0.0/32 to lo stops traffic from the real 10.0.0.0 IP
working.
Regards,
Simon
I'm using strongSwan 5.6.1 (Linux 4.14.29, x86_64) and see some
unexpected behavior when I add a tunnel where the subnet for my side
of the connection does not exist on any interface on my machine.
Strongswan (well, I'm pretty sure it's Strongswan) adds a /32 IP to my
loopback interface when bringing up the connection.
E.g. My side is 10.0.0.0/24, and when the tunnel comes up, I find lo
has 10.0.0.0/32 installed to it. Is it possible to disable this
behavior? I was thinking of using an updown script to delete it, but
want to know if there's a way to avoid it being installed in the first
place?
# ip addr show lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 10.0.0.0/32 scope global lo <------- This entry
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
# cat /etc/ipsec.conf
config setup
conn %default
ikelifetime=14400s
keylife=10800s
rekeymargin=600s
keyingtries=%forever
keyexchange=ikev2
authby=secret
ike=aes256-sha256-modp1536!
esp=aes256-sha256-modp1536!
closeaction=restart
conn tun
auto=start
forceencaps=yes
ikelifetime=14400s
keylife=10800s
left=10.33.1.93
leftfirewall=no
leftid=@tunleft
leftsubnet=10.0.0.0/24
rekeymargin=600s
right=10.55.2.18
rightfirewall=no
rightid=@tunright
rightsubnet=10.1.1.1/32
Most traffic routes fine across the tunnel -- it's just that the
10.0.0.0/24 network doesn't reside locally, instead it comes from
another source, with my server acting as an intermediary router. So
adding 10.0.0.0/32 to lo stops traffic from the real 10.0.0.0 IP
working.
Regards,
Simon