From patchwork Fri Mar 2 02:15:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jonatan Schlag X-Patchwork-Id: 1680 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) by web02.i.ipfire.org (Postfix) with ESMTP id 69B8860B10 for ; Thu, 1 Mar 2018 16:15:46 +0100 (CET) X-Virus-Scanned: ClamAV at mail01.ipfire.org Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id CC1D8108C3AA; Thu, 1 Mar 2018 15:15:44 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ipfire.org; s=201801; t=1519917345; x=1522509345; bh=cWo/FiJTp4DZXP4lR+ghgoe8Txqr5hel9a8akko/meM=; h=From:To:Subject:Date:Message-Id:Sender:From:To:Cc:Date: Content-Type:Message-ID:In-Reply-To:Subject:Reply-To:Sender; b=UfT27HmkI7bXslvhlUbOIoj4eFPn3ROyanEGjORyXweKJbzpfZaAI75DIl8mtbyYc 6yzSqZHn3qfhNciIn9ObQYkOBVqsvqBy7Hw5NwD3PDAqGR6pFMtMTP4i1xjR7F3LEz yfdMCxuw0YU/2KYwP2CLbUltPBABsYNM/h5oj/zo4T0vnimukQNp9tXszY5qprLxxt WWT6sNiN+uZP+l4KJWAtLMs/Khwl1aQgw04jjSTJXOjbLaE4Uz6yTl9/HiaBHGVZJ6 cYLPdmwY5zBAON67Jo++Y/NDC6qDnC0PgEjK9IU0NJKMjiG3nP6pgqXHKQb1rHH60U s6WpMVc7sHJww== X-Virus-Scanned: ClamAV at mail01.ipfire.org Received: from localhost.localdomain (unknown [10.172.1.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id EAF02108C3AA; Thu, 1 Mar 2018 15:15:41 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ipfire.org; s=201801; t=1519917342; x=1522509342; bh=cWo/FiJTp4DZXP4lR+ghgoe8Txqr5hel9a8akko/meM=; h=From:To:Cc:Subject:Date:Message-Id:From:To:Cc:Date:Content-Type: Message-ID:In-Reply-To:Subject:Reply-To:Sender; b=bnZvm9eHaqvSWsgh26OaU2xTQFI5IB4lXvQG/YnaZBs5D3hKpFXAhKP0XNJhd8G33 jkgj4/DxWuUuIHHVR4eWZJXPG0xrx3NYzQ6jHLuxOdBdAX3CsH/XUlShDpueaLWKAw Z6h1Rcy2Wv3wdyHuox1QIO4nmcBRtJ7445aPTPIr5imaCaIgBV0lfHJ1rM+OaR4JUA mQ8Jdftlx0X8r7X7FOEv+bYLnh0g+oWd4JWfQYrhdbyjsWQL6nnNtyRng4Qs2/+j2r pO5sYuzHoTjfmq3ov0CrBKT6+jbpnK5SMnGOsQqe4KCnzMQkPdFUVSUluLoIfpsn1b 7hB02BttUl+Vw== From: Jonatan Schlag To: network@lists.ipfire.org Subject: [PATCH] IPsec: Fix routing Date: Thu, 1 Mar 2018 15:15:38 +0000 Message-Id: <1519917338-3303-1-git-send-email-jonatan.schlag@ipfire.org> X-Mailer: git-send-email 2.6.3 X-BeenThere: network@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List for the network package List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: network-bounces@lists.ipfire.org Sender: "network" Based on the examples found in strongswan we need to specific the source IP for our routes through an IPsec VPN. If we have no source IP (a router can route packages which do not belong to the network assigned to our zones) we set no routes, but clients can still use the tunnel. For IPsec VPNs in tunnel mode we also need the device which has the ${PLUTO_ME} IP address asigned. The source IP is determined ip_get_assigned_addresses_from_net() the device is determined by the device_get_by_ip_address() function. For tunnel mode see: https://www.strongswan.org/testing/testresults/ipv6-stroke/net2net-ip4-in-ip6-ikev2/moon.ip.route Fixes: #11629 Signed-off-by: Jonatan Schlag --- src/helpers/ipsec-updown | 46 +++++++++++++++++++++++++++++++++++++++------- 1 file changed, 39 insertions(+), 7 deletions(-) diff --git a/src/helpers/ipsec-updown b/src/helpers/ipsec-updown index 12ead03..3764085 100644 --- a/src/helpers/ipsec-updown +++ b/src/helpers/ipsec-updown @@ -86,13 +86,45 @@ case "${PLUTO_VERB}" in ;; esac - # Set routes - if isset INTERFACE; then - cmd ip route add "${PLUTO_PEER_CLIENT}" \ - dev "${INTERFACE}" - else - cmd ip route add "${PLUTO_PEER_CLIENT}" \ - via "${PLUTO_PEER}" + #Get sources IP for routes + SRC_IP=($(ip_get_assigned_addresses_from_net \ + "${PLUTO_MY_CLIENT}" "permanent")) + + # Set routes if we have a source IP. + # If not the machine does not has a leg on the net + # and we can go on without routes. + if isset SRC_IP; then + # We take the lowest source IP we found, + # which is ugly because the value is unpredictable. + SRC_IP=${SRC_IP[0]} + + if isset INTERFACE; then + if ! cmd ip route add \ + "${PLUTO_PEER_CLIENT}" \ + dev "${INTERFACE}" \ + src "${SRC_IP}"; then + log ERROR \ + "Could not set routes for ${PLUTO_PEER_CLIENT}" + fi + else + # Get the device which we use to peer with the other site. + ME_DEVICE = "$(device_get_by_ip_address "${PLUTO_ME}")" + + # We can only go on if we found a device. + if isset ME_DEVICE; then + if ! cmd ip route add \ + "${PLUTO_PEER_CLIENT}" \ + dev "${ME_DEVICE}" \ + proto static \ + src "${SRC_IP}" \ + table 220; then + log ERROR \ + "Could not set routes for ${PLUTO_PEER_CLIENT}" + fi + else + log ERROR "Could not get device for ${PLUTO_ME}" + fi + fi fi ;;