Re: [Ipsec-tools-devel] racoonctl vpn-connect bound to wrong IP
Brought to you by:
mit_warlord,
netbsd
From: Timo T. <tim...@ik...> - 2009-01-07 08:42:34
|
Adrian Bridgett wrote: > I have an IPSec endpoint which has multiple IP addresses on the > external interface. If I start IKE using "racoonctl vpn-connect" I > see this: > > 2009-01-06 20:27:58: DEBUG: 104 bytes from 192.168.1.207[500] to 1.2.3.4[500] > 2009-01-06 20:27:58: DEBUG: sockname 192.168.1.205[500] > 2009-01-06 20:27:58: DEBUG: send packet from 192.168.1.207[500] > > Even though I have this in racoon.conf (yes, I appreciate this is > _listen_ and not send but hey :-)): > listen { > isakmp 192.168.1.205; > strict_address; > } > > If I trigger the VPN using SPD policies fortunately it does use > 192.168.1.205 all the way through. > > I've traced this back to src/racoon/admin.c (admin_process) line 475 > - isakmp_ph1begin_i is called with local set to 192.168.1.207. > > This was using ipsec-tools 0.6.6-3.1etch1 from Debian etch - I can't > see anything in NEWS file for 0.7.1 that suggests anything will have > changed though. racoonctl vpn-connect uses kernel routing table source hint to decide which IP address to use. You can force it to use some fixed IP address by invoking: racoonctl establish-sa isakmp inet srcip dstip which will do otherwise exactly the same thing as vpn-connect would do. The listen does not affect to src IP for sent packets, which is kinda dubious, as you'll probably never receive the response packets anyway. - Timo |