[Openswan dev] why pluto adds the leftsourceip to the ipsec device?

Wolfgang Nothdurft wolfgang at linogate.de
Tue Feb 8 04:35:24 EST 2011

Am 08.02.2011 07:39, schrieb Roel van Meer:
> Wolfgang Nothdurft writes:
>> as I reported in https://gsoc.xelerance.com/issues/1199 there is a
>> problem when the netmask between the configured leftsubnet and the real
>> local subnet differs.
>> Another problem can be when doing an ifdown/up on the local interface
>> which is not the ipsec base interface. Then the local route is added
>> after the ipsec route and no access to the lan is possible.
>> My general question is, why there is a need to add the leftsourceip to
>> the ipsec device?
> Since openswan 2.6.32 the leftsourceip is added with a /32 netmask, thus 
> preventing any local routes to be added via the ipsec interface. This should 
> fix the problem you have with losing access to your lan.
> Which version is it that you are experiencing this problem with?

I use 2.6.29 with klips and I can't see any changes in 2.6.32.

I think it is a problem with the query:

287     cidr=${PLUTO_MY_CLIENT##*/}
288     snet=${PLUTO_MY_SOURCEIP%/*}/32
289     if test "${PLUTO_PEER_CLIENT}" != "${cidr}"
290     then
291         snet=${PLUTO_MY_SOURCEIP%/*}/${cidr}
292     fi

"${PLUTO_PEER_CLIENT}" != "${cidr}"  always differs

mustn't it be

"${PLUTO_PEER_CLIENT##*/}" != "${cidr}"

but anyway why ipsec needs this local ip on the ipsec device?


More information about the Dev mailing list