Replies: 1 comment 3 replies
-
That's because strongSwan allows configuring the base address from where the assignment to clients starts (e.g. to keep the lower addresses reserved for manual assignment to internal hosts like the server itself). By configuring the "broadcast" address of that subnet as base, you inadvertently configured an empty pool. Which is basically like configuring Such an empty pool will confirm whatever IP address the client proposes (the base address is ignored), which obviously only works correctly if the client actually requests a specific IP address. If it doesn't, i.e. requests So it's not really a bug (or at least not unknown behavior), but could be surprising to users. |
Beta Was this translation helpful? Give feedback.
-
Hi,
i am in the process of converting my ipsec.conf configuration to swanctl
In the process I made an error and defined an IP pool like this
Which looks like this when loaded
This is what the connection using it looks like when defined
This connection is for roadwarrior scenario, the client is macOS.
"dynamic" is usually substituted for the assigned VIP from the pool in this case, but because I defined the pool wrong, it ended up doing this instead:
Notice the remote traffic selector of 0.0.0.0/0. Ouch.
The result was absolutely catastrophic. I'm not sure how catastrophic exactly, because the machine immediatelly stopped responding on network (to anything except maybe ARP) and somehow also took the KVM console with it or at least the console wasn't responding. When I retried to investigate, it resumed after probably the child tunnel timed-out but I can't see anything except that log above and "kernel: IPv4: martian source" messages that make no sense (I am quite careful about routing and filtering). I am not keen on trying that again in case I'm causing some sort of network loop, which would explain the general unresponsiveness of everything...
Did I just stumble upon a massive bug caused by IP Pool running out of addresses in general, or was it caused by defining a pool with 0 addresses in the first place?
Also, I'd excpect the subnet to be interpreted as "10.64.24.112/28" (this is the first software I've seen that doesn't). I'll probably just file a bug for this rightaway.
Should I file a bug? I was about to but maybe someone here can comment first. It's possible I'm doing something wrong with swanctl but I don't think so, because once I fixed the subnet to 10.64.24.128/28 it started working just fine.
Anybody willing to replicate it in their setup?
And for the record: Ubuntu 22.04.4, strongswan 5.9.5-2ubuntu2.2
Beta Was this translation helpful? Give feedback.
All reactions