[Openswan Users] leftsourceip behaving strangely (improperly?)

Greg Scott GregScott at Infrasupport.com
Wed Mar 9 12:47:43 EST 2011


I just noticed this.  One of my ipsec systems hung a few days ago.
Thinking I had a hardware problem, I started building up a replacement.
Checking it out, I noticed my Internet tunnel facing NIC somehow took on
the IP Address of the LAN facing NIC.  This was strange.  Digging
deeper, I see what's going on.  

 

The LAN side is 172.21.99.100/24 on device eth1.  The Internet side
(obfuscated) is 1.2.123.217/30 on device eth0.

 

When I put leftsourceip=172.21.99.11 in my conn definition, after
starting ipsec, I see this IP Address - but with a /16 - assigned to
eth0, the Internet facing NIC.  What's up with that?  When I comment out
the leftsourceip line, the IP Addresses for all NICs look as expected.
I can get rid of the leftsourceip and rightsourceip lines - I put them
in to help troubleshoot problems when they come up because I don't
always have the ability to get at systems behind the tunnel.  

 

But this behavior is a new surprise - it never used to behave like this
and I have several dozen systems set up this way.   Why in the world did
Openswan start assigning a private IP Address to the tunnel facing NIC?
And can/should I do anything about it?

 

The new behavior happens with both 2.6.29 and 2.6.31 running on Fedora
14.  

 

Here's the relevant portion of the conn definition with the public IP
addresses obfuscated.   The leftsourceip is part of the leftsubnet - yet
it ended up being assigned to the tunnel facing NIC with a /16 mask.
Commenting out the leftsourceip line gets rid of the problem.  

 

conn DR

        left=1.2.123.217

        leftnexthop=1.2.123.218

        leftsubnet=172.21.99.0/24

        leftsourceip=172.21.99.100

        leftid=@dr.local

        # rsakey AQPLd3j2f

        leftrsasigkey=0sAQPLd3j2...

 

Thanks

 

-          Greg Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110309/c397c4c9/attachment.html 


More information about the Users mailing list