diff options
| author | Martin Willi <martin@strongswan.org> | 2016-09-16 14:50:07 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2017-05-23 16:49:39 +0200 |
| commit | 9b29003cd9e12075070106eb9481954ab34912ca (patch) | |
| tree | dde24a01c6a66630aa1ad5964558f77e97b65691 /conf | |
| parent | 46a3f92a76b748a3086912215e14a3c9f1a5a98b (diff) | |
| download | strongswan-9b29003cd9e12075070106eb9481954ab34912ca.tar.bz2 strongswan-9b29003cd9e12075070106eb9481954ab34912ca.tar.xz | |
socket-default: Add an option to force the sending interface via IP_PKTINFO
On Linux, setting the source address is insufficient to force a packet to be
sent over a certain path. The kernel uses the best route to select the outgoing
interface, even if we set a source address of a lower priority interface. This
is not only true for interfaces attaching to the same subnet, but also for
unrelated interfaces; the kernel (at least on 4.7) sends out the packet on
whatever interface it sees fit, even if that network does not expect packets
from the source address we force to.
When a better interface becomes available, strongSwan sends its MOBIKE address
list update using the old source address. But the kernel sends that packet over
the new best interface. If that network drops packets having the unexpected
source address from the old path, the MOBIKE update fails and the SA finally
times out.
To enforce a specific interface for our packet, we explicitly set the interface
index from the interface where the source address is installed. According to
ip(7), this overrules the specified source address to the primary interface
address. As this could have side effects to installations using multiple
addresses on a single interface, we disable the option by default for now.
This also allows using IPv6 link-local addresses, which won't work if
the outbound interface is not set explicitly.
Diffstat (limited to 'conf')
| -rw-r--r-- | conf/plugins/socket-default.opt | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/conf/plugins/socket-default.opt b/conf/plugins/socket-default.opt index 483a0f03d..570bd0ec7 100644 --- a/conf/plugins/socket-default.opt +++ b/conf/plugins/socket-default.opt @@ -4,6 +4,12 @@ charon.plugins.socket-default.fwmark = charon.plugins.socket-default.set_source = yes Set source address on outbound packets, if possible. +charon.plugins.socket-default.set_sourceif = no + Force sending interface on outbound packets, if possible. + + Force sending interface on outbound packets, if possible. This allows + using IPv6 link-local addresses as tunnel endpoints. + charon.plugins.socket-default.use_ipv4 = yes Listen on IPv4, if possible. |