[Openswan dev] Problems with masquerade and sourceip /32 netmask
Avesh Agarwal
avagarwa at redhat.com
Tue Jul 6 18:56:05 EDT 2010
On 07/06/2010 05:31 PM, Tuomo Soini wrote:
> I can say using netmask of remote network for addsource() in
> _updown.netkey is totally broken idea.
>
> Think about vpn tunnel with rightsubnet=0.0.0.0/0 - that would give
> netmask of 0 for addsource. So idea is completely broken.
>
> Could you try this patch if this makes masquerade work as expected with
> /32 netmask.
>
> I'd generally say that masquerade to vpn tunnel is braindead idea and
> should not ever be done by default.
>
> If masquerade to vpn tunnel is wanted, it should ad least be especially
> donewith -m policy iptables moddule. And SNAT should be used instead of
> MASQUERADE.
>
>
>
Hello Tuomo,
Thanks. I will test it, and will let you know.
However, I had taken it from the KLIPS updown script, as you can see
from the code segment below, then does it also require fixing?
programs/_updown.klips/_updown.ip2.in----------------
st=0
#
# Fix for Bug #66215 to solve SNAT/MASQUERADE problems with recent
# 2.6.x kernels.
# Instead of a /32 it seems better to use the netmask of the remote
# (peer) network for the sourceip as suggested by Patrick McHardy.
#
cidr=${PLUTO_MY_CLIENT##*/}
snet=${PLUTO_MY_SOURCEIP%/*}/32
if test "${PLUTO_PEER_CLIENT}" != "${cidr}"
then
snet=${PLUTO_MY_SOURCEIP%/*}/${cidr}
fi
if ! ip addr show dev ${PLUTO_INTERFACE%:*} | grep -qs "inet
${snet}"
then
it="ip addr add ${snet} dev ${PLUTO_INTERFACE%:*}"
----------------------------------------------------------------------------------------------------------------------------------------------
Thanks and Regards
Avesh
More information about the Dev
mailing list