git.ipfire.org Git - thirdparty/strongswan.git/commit

author	Martin Willi <martin@revosec.ch>
	Tue, 16 Sep 2014 12:45:47 +0000 (14:45 +0200)
committer	Martin Willi <martin@revosec.ch>
	Tue, 10 Mar 2015 08:35:55 +0000 (09:35 +0100)
commit	d50fd962a9bfea277de9131375e793deb80874a5
tree	b2dc9362f365f551da38b2dacf5a68668d8136bf	tree
parent	f79bcc96343ff418f6fb44a3add0dbd0d43c0e1e	commit \| diff

WIP: Windows virtual IP notes

When not using skipAsSource with the installed virtual IP, the IP gets promoted
as source address for the already available routes over that interface. When
setting the flag, all of our manually installed IPsec routes still use
the interfaces main address as source address, as the route uses that interface.

To fix this issue, we probably need a dedicated interface for virtual IPs that
allows us to install our separated routes over that interface.

Using the MS Loopback adapter kinda works; when disabling skipAsSource, an
address installed to that adapter gets used and outgoing traffic flows as
expected. Inbound traffic, though, fails with STATUS_IPSEC_CLEAR_TEXT_DROP,
probably related to:

https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-wfp#Accessing-Gateway-internal-address-in-a-net-to-net-tunnel