[Openswan dev] why pluto adds the leftsourceip to the ipsec device?

Roel van Meer rolek at bokxing.nl
Tue Feb 8 08:22:03 EST 2011


Wolfgang Nothdurft writes:

>>> I think it is a problem with the query:
>>>
>>> 287     cidr=${PLUTO_MY_CLIENT##*/}
>>> 288     snet=${PLUTO_MY_SOURCEIP%/*}/32
>>> 289     if test "${PLUTO_PEER_CLIENT}" != "${cidr}"
>>> 290     then
>>> 291         snet=${PLUTO_MY_SOURCEIP%/*}/${cidr}
>>> 292     fi
>>>
>>>
>>> "${PLUTO_PEER_CLIENT}" != "${cidr}"  always differs
>>>
>>> mustn't it be
>>>
>>> "${PLUTO_PEER_CLIENT##*/}" != "${cidr}"

Yes, that would make more sense.

>>> but anyway why ipsec needs this local ip on the ipsec device?

If the ipsec device has an IP address leftsourceip, than you can create a 
route with this local address as source address. That means you don't need 
iptables to SNAT locally originated packets to your tunnel.

If you do not have this address, than packets originating from the host 
running ipsec will have the ip of ipsec0 as their source address. This 
usually isn't an address in your tunneled network, so you'd have to use 
iptables to SNAT that.

IMHO a netmask of /32 should work well for these addresses (as long as you 
add the proper route, afterwards) but if Patrick says otherwise there must 
be something I don't know.

Maybe someone with access to archives or a good memory can figure out what 
this mysterious Bug #66215 was all about? I can't seem to find anything 
about it, except for more references to it being a mystery and a ClearOS bug 
report that said they'd removed the workaround.

Regards,

Roel


More information about the Dev mailing list