[Openswan dev] why pluto adds the leftsourceip to the ipsec device?
Roel van Meer
rolek at bokxing.nl
Tue Feb 8 08:22:03 EST 2011
Wolfgang Nothdurft writes:
>>> I think it is a problem with the query:
>>>
>>> 287 cidr=${PLUTO_MY_CLIENT##*/}
>>> 288 snet=${PLUTO_MY_SOURCEIP%/*}/32
>>> 289 if test "${PLUTO_PEER_CLIENT}" != "${cidr}"
>>> 290 then
>>> 291 snet=${PLUTO_MY_SOURCEIP%/*}/${cidr}
>>> 292 fi
>>>
>>>
>>> "${PLUTO_PEER_CLIENT}" != "${cidr}" always differs
>>>
>>> mustn't it be
>>>
>>> "${PLUTO_PEER_CLIENT##*/}" != "${cidr}"
Yes, that would make more sense.
>>> but anyway why ipsec needs this local ip on the ipsec device?
If the ipsec device has an IP address leftsourceip, than you can create a
route with this local address as source address. That means you don't need
iptables to SNAT locally originated packets to your tunnel.
If you do not have this address, than packets originating from the host
running ipsec will have the ip of ipsec0 as their source address. This
usually isn't an address in your tunneled network, so you'd have to use
iptables to SNAT that.
IMHO a netmask of /32 should work well for these addresses (as long as you
add the proper route, afterwards) but if Patrick says otherwise there must
be something I don't know.
Maybe someone with access to archives or a good memory can figure out what
this mysterious Bug #66215 was all about? I can't seem to find anything
about it, except for more references to it being a mystery and a ClearOS bug
report that said they'd removed the workaround.
Regards,
Roel
More information about the Dev
mailing list