[Openswan Users] leftsourceip behaving strangely (improperly?)

Avesh Agarwal avagarwa at redhat.com
Tue Mar 15 09:37:57 EDT 2011 

On 03/15/2011 01:53 AM, Greg Scott wrote:
>
> A bunch of comments on my route question but nothing on this one.  Am 
> I drawing the right conclusion on the leftsourceip thing?
>
> Thanks
>

There is a new build 
(http://koji.fedoraproject.org/koji/buildinfo?buildID=232875) for Fedora 
14 without the patch that causes this issue. Not pushed for updates yet 
(need to wait for one week at least), but you can try if you want to.

Thanks and Regards
Avesh

> -Greg Scott
>
> *From:*users-bounces at openswan.org [mailto:users-bounces at openswan.org] 
> *On Behalf Of *Greg Scott
> *Sent:* Monday, March 14, 2011 9:24 AM
> *To:* users at openswan.org
> *Subject:* Re: [Openswan Users] leftsourceip behaving strangely 
> (improperly?)
>
> Also back in 2006, the suggestion was made to put in 
> leftsourceip=nn.nn.nn.nn in my conn definitions, where nn.nn.nn.nn is 
> the IP Address of my LAN facing NIC.  That way I could ping the other 
> side of the a tunnel without always having to remember ping  -I 
> nn.nn.nn.nn {the.other.side}.
>
> But now when I put in leftcourceip=nn.nn.nn.nn it looks like Openswan 
> assigns nn.nn.nn.nn to the Internet facing NIC, but with the wrong 
> mask.  Is this expected?
>
> As I think about it, this makes sense and maybe helps clarify which IP 
> Address to use when the Internet facing NIC has lot of addresses.  
> It's just different behavior then before.
>
> Thanks
>
> -Greg Scott
>
> *From:*users-bounces at openswan.org [mailto:users-bounces at openswan.org] 
> *On Behalf Of *Greg Scott
> *Sent:* Wednesday, March 09, 2011 11:48 AM
> *To:* users at openswan.org
> *Cc:* Steve Schmit; Dan Stadick
> *Subject:* [Openswan Users] leftsourceip behaving strangely (improperly?)
>
> I just noticed this.  One of my ipsec systems hung a few days ago.  
> Thinking I had a hardware problem, I started building up a 
> replacement.  Checking it out, I noticed my Internet tunnel facing NIC 
> somehow took on the IP Address of the LAN facing NIC.  This was 
> strange.  Digging deeper, I see what's going on.
>
> The LAN side is 172.21.99.100/24 on device eth1.  The Internet side 
> (obfuscated) is 1.2.123.217/30 on device eth0.
>
> When I put leftsourceip=172.21.99.11 in my conn definition, after 
> starting ipsec, I see this IP Address - but with a /16 -- assigned to 
> eth0, the Internet facing NIC.  What's up with that?  When I comment 
> out the leftsourceip line, the IP Addresses for all NICs look as 
> expected.  I can get rid of the leftsourceip and rightsourceip lines 
> -- I put them in to help troubleshoot problems when they come up 
> because I don't always have the ability to get at systems behind the 
> tunnel.
>
> But this behavior is a new surprise -- it never used to behave like 
> this and I have several dozen systems set up this way.   Why in the 
> world did Openswan start assigning a private IP Address to the tunnel 
> facing NIC?  And can/should I do anything about it?
>
> The new behavior happens with both 2.6.29 and 2.6.31 running on Fedora 
> 14.
>
> Here's the relevant portion of the conn definition with the public IP 
> addresses obfuscated.   The leftsourceip is part of the leftsubnet -- 
> yet it ended up being assigned to the tunnel facing NIC with a /16 
> mask.   Commenting out the leftsourceip line gets rid of the problem.
>
> conn DR
>
>         left=1.2.123.217
>
>         leftnexthop=1.2.123.218
>
>         leftsubnet=172.21.99.0/24
>
>         leftsourceip=172.21.99.100
>
>         leftid=@dr.local
>
>         # rsakey AQPLd3j2f
>
>         leftrsasigkey=0sAQPLd3j2...
>
> Thanks
>
> -Greg Scott
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110315/5f20acaf/attachment.html

More information about the Users mailing list