[Openswan dev] [PATCH] Updates to the ipsec.conf man page for leftsendcert

Nate Carlson natecars at natecarlson.com
Thu Jun 10 12:12:33 CEST 2004 

On Fri, 14 May 2004, Ken Bantoft wrote:
> leftsourceip=1.2.3.4 (note, no /32)  will assign 1.2.3.4/32 to the lo
> interface, and put the correct routes in to do virtual IP style
> connections.
> 
> ie: I have
> 
>         leftsubnet=10.0.30.125/32
>         leftsourceip=10.0.30.125
> 
> And that lets me assign my laptop an IP from the remote local LAN.  
> Ensure your Openswan 'server' has proxy_arp enabled.

I'm finally getting a chance to test this so I can document it, and am not 
getting it to work. Here's my configuration right now; all IP's are 
actually public.

Oxygen: Firewall for one of my public networks, running OS 2.1.2cvs (2004/05/13)
Knight: My laptop, running same version of Openswan

oxygen config:
conn oxygen-test-net
        leftsubnet=10.10.10.0/27
        leftsourceip=10.10.10.25
        rightcert=knight.crt
        also=oxygen

conn oxygen
        keyingtries=1
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert
        left=%defaultroute
        leftcert=oxygen.crt
        right=%any
        rightsubnet=vhost:%no,%priv
        auto=add

knight config:
conn oxygen-net-test
        leftsubnet=10.10.10.0/27
        # Tried with and without this
	#leftsourceip=10.10.10.25
        also=oxygen

conn oxygen
        left=oxygen
        leftcert=oxygen.crt
        right=%defaultroute
        rightcert=knight.crt
        rightsendcert=always
        auto=add


I bring the tunnel up, it comes up just fine, and the virtual ip is added 
on Oxygen:

oxygen:~# ip addr show
64: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ether 00:50:04:64:7b:b2 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.252/27 brd 10.10.10.255 scope global ipsec0
    inet 10.10.10.25/32 scope global ipsec0

I do also have proxy arp enabled, and I am able to ping the .25 address 
from other hosts on the internal network. However, if I try to connect to 
the .25 address, the connections are handled locally by oxygen instead of 
being forwarded onto knight. When making a connection from Knight to 
another box behind Oxygen (on the 10.10.10.0/27 network), the connection 
is from Knight's real IP, not the virtual IP.

Any ideas, or should I just keep playing with it?

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------

More information about the Dev mailing list