[Openswan Users] leftsourceip behaving strangely (improperly?)
Greg Scott
GregScott at Infrasupport.com
Mon Mar 14 10:24:20 EDT 2011
Also back in 2006, the suggestion was made to put in
leftsourceip=nn.nn.nn.nn in my conn definitions, where nn.nn.nn.nn is
the IP Address of my LAN facing NIC. That way I could ping the other
side of the a tunnel without always having to remember ping -I
nn.nn.nn.nn {the.other.side}.
But now when I put in leftcourceip=nn.nn.nn.nn it looks like Openswan
assigns nn.nn.nn.nn to the Internet facing NIC, but with the wrong mask.
Is this expected?
As I think about it, this makes sense and maybe helps clarify which IP
Address to use when the Internet facing NIC has lot of addresses. It's
just different behavior then before.
Thanks
- Greg Scott
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Greg Scott
Sent: Wednesday, March 09, 2011 11:48 AM
To: users at openswan.org
Cc: Steve Schmit; Dan Stadick
Subject: [Openswan Users] leftsourceip behaving strangely (improperly?)
I just noticed this. One of my ipsec systems hung a few days ago.
Thinking I had a hardware problem, I started building up a replacement.
Checking it out, I noticed my Internet tunnel facing NIC somehow took on
the IP Address of the LAN facing NIC. This was strange. Digging
deeper, I see what's going on.
The LAN side is 172.21.99.100/24 on device eth1. The Internet side
(obfuscated) is 1.2.123.217/30 on device eth0.
When I put leftsourceip=172.21.99.11 in my conn definition, after
starting ipsec, I see this IP Address - but with a /16 - assigned to
eth0, the Internet facing NIC. What's up with that? When I comment out
the leftsourceip line, the IP Addresses for all NICs look as expected.
I can get rid of the leftsourceip and rightsourceip lines - I put them
in to help troubleshoot problems when they come up because I don't
always have the ability to get at systems behind the tunnel.
But this behavior is a new surprise - it never used to behave like this
and I have several dozen systems set up this way. Why in the world did
Openswan start assigning a private IP Address to the tunnel facing NIC?
And can/should I do anything about it?
The new behavior happens with both 2.6.29 and 2.6.31 running on Fedora
14.
Here's the relevant portion of the conn definition with the public IP
addresses obfuscated. The leftsourceip is part of the leftsubnet - yet
it ended up being assigned to the tunnel facing NIC with a /16 mask.
Commenting out the leftsourceip line gets rid of the problem.
conn DR
left=1.2.123.217
leftnexthop=1.2.123.218
leftsubnet=172.21.99.0/24
leftsourceip=172.21.99.100
leftid=@dr.local
# rsakey AQPLd3j2f
leftrsasigkey=0sAQPLd3j2...
Thanks
- Greg Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110314/a0293c65/attachment.html
More information about the Users
mailing list