Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] FreeS/WAN and ip address alias problem - RESOLUTION

From: Kevin Cave (kevin_cave_at_wreckage.org)
Date: Wed May 08 2002 - 18:04:37 CEST

Next message: Sam Sgro: "Re: [Users] FreeSWAN with kernel 2.4"
Previous message: Mimmus: "RE: [Users] FreeS/WAN with PPP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have just solved a problem I had with freeswan not working properly
with ip address aliasing.

Definition of Problem
---------------------

ipsec0 would be assigned an incorrect ip address that belonged
to an alias of eth0.

For example, eth0, an external, internet-facing interface on my firewall
would have an original ip adderss of x.x.x.226. It would also, thanks to
an iptables firewall script generated by a brilliant little program
called fwbuilder, have additional aliases with ip addresses of
x.x.x.227 and x.x.x.228 , for the purposes of NAT on the firewall.

The problem was, that when I started freeswan after I implemented
the firewall script, ipsec0 would be assigned the ip address of
x.x.x.227 , which was not the way I designed my ipsec configuration.

This behaviour manifested itself only AFTER I had executed my
firewall script, if I started freeswan before that, ipsec would work
flawlessly. meaning that any changes I made thereafter involved a reboot
of the firewall, (or general stopping/starting of network services and
flushing of iptables).

What Caused The Problem
-----------------------

After scratching my head on this for while, and looking around the
internet for details on ip address aliasing, I saw lots of referals to
"eth0:1" , "eth0:2" etc. etc. and so on and so forth, which puzzled me
greatly because when I did an ifconfig on my firewall, all I got was
eth0 and it's details - including the incorrect ip address of x.x.x.227.

Today (at time of writing of this email), it suddenly occoured to me,
after looking at the fwbuilder-generated script, that no labels were
being assigned to the aliased ip addresses for eth0!!!

The original aliasing command was :

ip -f inet addr add xxx.xx.xx.227 dev eth0 scope link

and

ip -f inet addr add xxx.xx.xx.228 dev eth0 scope link

The Solution
------------

Altering these commands to :

ip -f inet addr add xxx.xxx.xxx.227 dev eth0 scope link label eth0:1

and

ip -f inet addr add xxx.xxx.xxx.228 dev eth0 scope link label eth0:2

Was the solution to my problems.

therefore ;

Summary
-------

If you are having problems with FreeS/WAN and ip address aliasing,
always check that the aliased interface has also been assigned an alias
label.

I hope this helps others who see this problem.

Regards

Kevin Cave.

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Sam Sgro: "Re: [Users] FreeSWAN with kernel 2.4"
Previous message: Mimmus: "RE: [Users] FreeS/WAN with PPP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:58 CEST