From d50fd962a9bfea277de9131375e793deb80874a5 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 16 Sep 2014 14:45:47 +0200 Subject: [PATCH] WIP: Windows virtual IP notes When not using skipAsSource with the installed virtual IP, the IP gets promoted as source address for the already available routes over that interface. When setting the flag, all of our manually installed IPsec routes still use the interfaces main address as source address, as the route uses that interface. To fix this issue, we probably need a dedicated interface for virtual IPs that allows us to install our separated routes over that interface. Using the MS Loopback adapter kinda works; when disabling skipAsSource, an address installed to that adapter gets used and outgoing traffic flows as expected. Inbound traffic, though, fails with STATUS_IPSEC_CLEAR_TEXT_DROP, probably related to: https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-wfp#Accessing-Gateway-internal-address-in-a-net-to-net-tunnel --- src/libcharon/plugins/kernel_iph/kernel_iph_net.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/libcharon/plugins/kernel_iph/kernel_iph_net.c b/src/libcharon/plugins/kernel_iph/kernel_iph_net.c index 905b3a620f..3abc4ca6c5 100644 --- a/src/libcharon/plugins/kernel_iph/kernel_iph_net.c +++ b/src/libcharon/plugins/kernel_iph/kernel_iph_net.c @@ -736,7 +736,7 @@ static void host2unicast(host_t *host, int prefix, MIB_UNICASTIPADDRESS_ROW *row row->PrefixOrigin = IpPrefixOriginOther; row->SuffixOrigin = IpSuffixOriginOther; /* don't change the default route to this address */ - row->SkipAsSource = TRUE; + row->SkipAsSource = FALSE; if (prefix == -1) { if (row->Address.si_family == AF_INET) @@ -760,6 +760,9 @@ METHOD(kernel_net_t, add_ip, status_t, MIB_UNICASTIPADDRESS_ROW row; u_long status; + /* name of the MS Loopback adapter */ + name = "{DB2C49B1-7C90-4253-9E61-8C6A881194ED}"; + host2unicast(vip, prefix, &row); row.InterfaceIndex = add_addr(this, name, vip, TRUE); @@ -865,8 +868,8 @@ static status_t manage_route(private_kernel_iph_net_t *this, bool add, } if (gtw) { - memcpy(&row.NextHop, gtw->get_sockaddr(gtw), - *gtw->get_sockaddr_len(gtw)); + /*memcpy(&row.NextHop, gtw->get_sockaddr(gtw), + *gtw->get_sockaddr_len(gtw));*/ } if (add) -- 2.47.2