Ubuntu
openswan package

Openswan doesn't honor 'left=' parameter on host with multipe ip's

Bug #1092816 reported by Ronald Moesbergen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openswan (Ubuntu)
New
Undecided
Unassigned

Bug Description

Ubuntu release: 12.04.1
Openswan version: 2.6.37-1

It appears that the openswan version in ubuntu 12.04 does not honor the 'left=' parameter when used on a host with multiple external IP addresses on one 'public' interface. For example: I have a host with 2 IP's bound to eth0:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 2c:76:8a:53:63:d0 brd ff:ff:ff:ff:ff:ff
    inet 11.22.33.44/24 brd 82.94.228.231 scope global eth0
    inet 11.22.33.46/24 scope global secondary eth0

I want to use the 11.22.33.46 address as the sending IP for this connection. However, openswan always picks 11.22.33.44 as the sending address, which fails to connect because that address isn't know by the peer. (IP's are 'fake', obviously)

Installing an older version of the package (the one from 10.04 LTS), fixes the problem. So version 2.6.23+dfsg-1ubuntu1 works correctly. That's the workaround I'm currently using.

Example config:

conn testme
    auth=esp
    authby=secret
    auto=start
    disablearrivalcheck=no
    esp=aes128-sha1
    ike=aes128-sha1-modp1024
    ikelifetime=24h
    keyexchange=ike
    keylife=8h
    left=11.22.33.46
    leftsourceip=10.16.1.1
    leftsubnet=10.17.15.1/32
    pfs=no
    rekey=yes
    right=99.88.77.66
    rightsubnets={10.16.0.0/13,10.2.0.0/16,10.6.28.0/24}
    type=tunnel

Revision history for this message
Simon Déziel (sdeziel) wrote :

Ronald, I think that if you add a route to get to right= using the source IP 11.22.33.46 it should work.

Here's an example:

 $ ip ro get 99.88.77.66 # checking the source IP used to get to right=
 99.88.77.66 via 172.24.27.1 dev wlan0 src 11.22.33.46
    cache

You see that by default it uses the "main" IP on wlan0. Now let's add the other IP

 $ sudo ip addr add 11.22.33.46/24 dev wlan0 # adding this IP alias

And add a route to right= using that new IP as the source

 $ sudo ip ro add 99.88.77.66 via 172.24.27.1 src 11.22.33.46 # 172.24.27.1 is my default GW

And confirm all worked:

 $ ip ro get 99.88.77.66
 99.88.77.66 via 172.24.27.1 dev wlan0 src 11.22.33.46
    cache

Revision history for this message
Ronald Moesbergen (intercommit) wrote :

Thanks Simon, that would indeed work. However, I consider it a workaround for a problem in openswan. With the older version, openswan itself sends with the correct sending IP specified in left=, without having to add explicit routing rules.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.