Re: [Ipsec-tools-devel] racoonctl vpn-connect bound to wrong IP
Brought to you by:
mit_warlord,
netbsd
Menu
▾
▴
Re: [Ipsec-tools-devel] racoonctl vpn-connect bound to wrong IP
|
From: Timo T. <tim...@ik...> - 2009-01-07 08:42:34
|
Adrian Bridgett wrote:
> I have an IPSec endpoint which has multiple IP addresses on the
> external interface. If I start IKE using "racoonctl vpn-connect" I
> see this:
>
> 2009-01-06 20:27:58: DEBUG: 104 bytes from 192.168.1.207[500] to 1.2.3.4[500]
> 2009-01-06 20:27:58: DEBUG: sockname 192.168.1.205[500]
> 2009-01-06 20:27:58: DEBUG: send packet from 192.168.1.207[500]
>
> Even though I have this in racoon.conf (yes, I appreciate this is
> _listen_ and not send but hey :-)):
> listen {
> isakmp 192.168.1.205;
> strict_address;
> }
>
> If I trigger the VPN using SPD policies fortunately it does use
> 192.168.1.205 all the way through.
>
> I've traced this back to src/racoon/admin.c (admin_process) line 475
> - isakmp_ph1begin_i is called with local set to 192.168.1.207.
>
> This was using ipsec-tools 0.6.6-3.1etch1 from Debian etch - I can't
> see anything in NEWS file for 0.7.1 that suggests anything will have
> changed though.
racoonctl vpn-connect uses kernel routing table source hint to
decide which IP address to use. You can force it to use some fixed
IP address by invoking:
racoonctl establish-sa isakmp inet srcip dstip
which will do otherwise exactly the same thing as vpn-connect
would do.
The listen does not affect to src IP for sent packets, which
is kinda dubious, as you'll probably never receive the response
packets anyway.
- Timo
|