<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
On 03/15/2011 01:53 AM, Greg Scott wrote:
<blockquote
cite="mid:925A849792280C4E80C5461017A4B8A27D87ED@mail733.InfraSupportEtc.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:418867189;
mso-list-type:hybrid;
mso-list-template-ids:2092364300 518295236 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:1528057142;
mso-list-type:hybrid;
mso-list-template-ids:-2011503138 -1558390328 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-start-at:15;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:2084451266;
mso-list-type:hybrid;
mso-list-template-ids:-1002554684 -1934722486 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri","sans-serif";
mso-fareast-font-family:Calibri;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">A
bunch of comments on my route question but nothing on this
one. Am I drawing the right conclusion on the leftsourceip
thing?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
</div>
</blockquote>
<br>
There is a new build
(<a class="moz-txt-link-freetext" href="http://koji.fedoraproject.org/koji/buildinfo?buildID=232875">http://koji.fedoraproject.org/koji/buildinfo?buildID=232875</a>) for
Fedora 14 without the patch that causes this issue. Not pushed for
updates yet (need to wait for one week at least), but you can try if
you want to.<br>
<br>
Thanks and Regards<br>
Avesh<br>
<br>
<blockquote
cite="mid:925A849792280C4E80C5461017A4B8A27D87ED@mail733.InfraSupportEtc.com"
type="cite">
<div class="WordSection1">
<p class="MsoListParagraph" style="text-indent: -0.25in;"><!--[if !supportLists]--><span
style="color: rgb(31, 73, 125);"><span style="">-<span
style="font: 7pt "Times New Roman";">
</span></span></span><!--[endif]--><span style="color:
rgb(31, 73, 125);">Greg Scott<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<div>
<div style="border-right: medium none; border-width: 1pt
medium medium; border-style: solid none none; border-color:
rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color;
padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span style="font-size: 10pt;
font-family:
"Tahoma","sans-serif";">From:</span></b><span
style="font-size: 10pt; font-family:
"Tahoma","sans-serif";">
<a class="moz-txt-link-abbreviated" href="mailto:users-bounces@openswan.org">users-bounces@openswan.org</a>
[<a class="moz-txt-link-freetext" href="mailto:users-bounces@openswan.org">mailto:users-bounces@openswan.org</a>] <b>On Behalf Of </b>Greg
Scott<br>
<b>Sent:</b> Monday, March 14, 2011 9:24 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:users@openswan.org">users@openswan.org</a><br>
<b>Subject:</b> Re: [Openswan Users] leftsourceip
behaving strangely (improperly?)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Also
back in 2006, the suggestion was made to put in
leftsourceip=nn.nn.nn.nn in my conn definitions, where
nn.nn.nn.nn is the IP Address of my LAN facing NIC. That
way I could ping the other side of the a tunnel without
always having to remember ping -I nn.nn.nn.nn
{the.other.side}. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">But
now when I put in leftcourceip=nn.nn.nn.nn it looks like
Openswan assigns nn.nn.nn.nn to the Internet facing NIC, but
with the wrong mask. Is this expected?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">As I
think about it, this makes sense and maybe helps clarify
which IP Address to use when the Internet facing NIC has lot
of addresses. It’s just different behavior then before.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent: -0.25in;"><!--[if !supportLists]--><span
style="color: rgb(31, 73, 125);"><span style="">-<span
style="font: 7pt "Times New Roman";">
</span></span></span><!--[endif]--><span style="color:
rgb(31, 73, 125);">Greg Scott<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<div>
<div style="border-right: medium none; border-width: 1pt
medium medium; border-style: solid none none; border-color:
rgb(181, 196, 223) -moz-use-text-color -moz-use-text-color;
padding: 3pt 0in 0in;">
<p class="MsoNormal"><b><span style="font-size: 10pt;
font-family:
"Tahoma","sans-serif";">From:</span></b><span
style="font-size: 10pt; font-family:
"Tahoma","sans-serif";">
<a class="moz-txt-link-abbreviated" href="mailto:users-bounces@openswan.org">users-bounces@openswan.org</a>
[<a class="moz-txt-link-freetext" href="mailto:users-bounces@openswan.org">mailto:users-bounces@openswan.org</a>] <b>On Behalf Of </b>Greg
Scott<br>
<b>Sent:</b> Wednesday, March 09, 2011 11:48 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:users@openswan.org">users@openswan.org</a><br>
<b>Cc:</b> Steve Schmit; Dan Stadick<br>
<b>Subject:</b> [Openswan Users] leftsourceip behaving
strangely (improperly?)<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I just noticed this. One of my ipsec
systems hung a few days ago. Thinking I had a hardware
problem, I started building up a replacement. Checking it
out, I noticed my Internet tunnel facing NIC somehow took on
the IP Address of the LAN facing NIC. This was strange.
Digging deeper, I see what’s going on. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The LAN side is 172.21.99.100/24 on device
eth1. The Internet side (obfuscated) is 1.2.123.217/30 on
device eth0.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">When I put leftsourceip=172.21.99.11 in my
conn definition, after starting ipsec, I see this IP Address -
but with a /16 – assigned to eth0, the Internet facing NIC.
What’s up with that? When I comment out the leftsourceip
line, the IP Addresses for all NICs look as expected. I can
get rid of the leftsourceip and rightsourceip lines – I put
them in to help troubleshoot problems when they come up
because I don’t always have the ability to get at systems
behind the tunnel. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">But this behavior is a new surprise – it
never used to behave like this and I have several dozen
systems set up this way. Why in the world did Openswan start
assigning a private IP Address to the tunnel facing NIC? And
can/should I do anything about it?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The new behavior happens with both 2.6.29
and 2.6.31 running on Fedora 14. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Here’s the relevant portion of the conn
definition with the public IP addresses obfuscated. The
leftsourceip is part of the leftsubnet – yet it ended up being
assigned to the tunnel facing NIC with a /16 mask.
Commenting out the leftsourceip line gets rid of the problem.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">conn DR<o:p></o:p></p>
<p class="MsoNormal"> left=1.2.123.217<o:p></o:p></p>
<p class="MsoNormal"> leftnexthop=1.2.123.218<o:p></o:p></p>
<p class="MsoNormal"> leftsubnet=172.21.99.0/24<o:p></o:p></p>
<p class="MsoNormal"> leftsourceip=172.21.99.100<o:p></o:p></p>
<p class="MsoNormal"> <a class="moz-txt-link-abbreviated" href="mailto:leftid=@dr.local">leftid=@dr.local</a><o:p></o:p></p>
<p class="MsoNormal"> # rsakey AQPLd3j2f<o:p></o:p></p>
<p class="MsoNormal"> leftrsasigkey=0sAQPLd3j2…<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="text-indent: -0.25in;"><!--[if !supportLists]--><span
style="">-<span style="font: 7pt "Times New
Roman";"> </span></span><!--[endif]-->Greg
Scott<o:p></o:p></p>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a class="moz-txt-link-freetext" href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</body>
</html>