Re: [nm-libreswan] set static routes without knowing the assign ip address

From: Antonio Silva <asilva wirelessmundi com>
To: Thomas Haller <thaller redhat com>, networkmanager-list gnome org
Subject: Re: [nm-libreswan] set static routes without knowing the assign ip address
Date: Wed, 1 Jun 2016 11:42:23 +0200

Hi Thomas,

Thanks for the reply.

Indeed, most of the times you let the vpn to configure allautomatically, in my case it sets the default gateway to the vpn, andthis works perfectly.

I can think of one case (by experience) where not using the remote vpnas default gateway is useful. For example, when you have a slowconnection to / from the remote vpn site that will slow down all ofyour connections, instead you can set what subnets/destinations areserver by the vpn and use your default gateway for all normal connections.

Yes, in this case the remote vpn server is controlled by me, it'srunning libreswan as well, but i'm authenticating the user using radiusand is not possible to force a static ip, that's why i need to use awildcard gateway. Another solution could be the usage of variables inthe gateway definition, something like ${VPN_IP_ADDRESS}, not reallysure how this could be implemented...

I'm my example, the ip 192.168.20.3 is because i force the range of ipsin libreswan to only one ip, so i could test the static routing.

Also, libreswan, at the moment, don't allow you to sent to the remoteend what subnets will be served, it will always set the vpn to be thedefault gateway once connected. So the option to let the routes getconfigured automatically in this case is discarded.

For now my solution is to connect the vpn without routes, them i have aup-down script that parses the ip assign when connecting and sets allthe routes that i need.


Regards,


On 06/01/2016 10:37 AM, Thomas Haller wrote:

On Fri, 2016-05-27 at 00:02 +0200, Antonio Silva wrote:

Hi,
is it possible to add static routes when you don't know the ip that
will gonna be assign by vpn server?
The idea is to use  connection only to connect to the remote
networks, all the default traffic should not be sent to the vpn.

In configuration IPV4, I set routes:
Routes Automatic: Off
address: 192.168.8.0
netmask: 255.255.255.0
gateway: 0.0.0.0
x - Use this connection only for resources on its network.

When connecting, the route is added but no traffic! This
configuration works with nm-vpnc
ip r shows:
192.168.8.0/24 dev wlp3s0f0  proto static  scope link  metric 50

Since i know the ip address of the vpn, i know set the routes:
Routes Automatic: Off
address: 192.168.8.0
netmask: 255.255.255.0
gateway: 192.168.20.3
x - Use this connection only for resources on its network.

This works, i see the route and the traffic to remote network is ok.
ip r shows:
192.168.8.0/24 via 192.168.20.3 dev wlp3s0f0  proto static  metric
50

Could be a nice feature to detect the assign ip address to the vpn
and replace the 0.0.0.0 when configuring the route.

BTW, tested with git version, last commit
b2a4514a78d39e2f4c9760d655e9a762be2c5f96.

Thanks.
António

Hi António,


what you suggest here is currently not possible. It would certainly be
a useful feature to support wildcard gateways.

Similar to openvpn, where you can specify the gateway of routes
as vpn_gateway, net_gateway, remote_host.



Note that in your example you did static addressing of the VPN. As you
do that, it seems you already know the details about the network behind
the VPN and you should equally know the precise gateway to use.
OTOH, if you use dynamic addressing, it will also work, because you
also receive the correct gateway from the VPN connection.
Why do you want to configure the gateway manually instead of letting it
be configured automatically?
So, it seems in your example you don't need that, do you?

Of course, you can think of examples where a wildcard gateway is indeed
useful. Possibly your situation is more complex so that you could use
it...


Also, NetworkManager treats the default route somehow special from
regular static routes. For what is worth, I think that is a mistake,
but anyway.
When adding a static non-default route, a wildcard gateway becomes much
more useful then for the default-route. For the default-route it seems
less needed. Can you not just accept whatever you get dynamically,
instead of configuring the gateway manually?


Thomas


--

Saludos / Regards / Cumprimentos,
António silva

References:
- Re: [nm-libreswan] set static routes without knowing the assign ip address
  - From: Thomas Haller

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]