wofferl
commented
1 month ago It is the same in the sense that it uses the same code to set the ip for xfrmi. Unlike sourceip it actual does not have to be from the local subnet, but I haven't seen any use cases for that. The only thing that comes to my mind, would something like interface-ip=%defaultroute, to handle dynamic ips for host-host or host-subnet connections. If no sourceip/interface-ip is set the source ip for host-host/subnet routes are undefined, which I actual workaround in _updown.xfrm
diff --git a/programs/_updown.xfrm/_updown.xfrm.in b/programs/_updown.xfrm/_updown.xfrm.in
index 0791ea2975..c873dbecaf 100644
--- a/programs/_updown.xfrm/_updown.xfrm.in
+++ b/programs/_updown.xfrm/_updown.xfrm.in
@@ -771,11 +771,16 @@ doroute() {
parms2="${parms2} dev ${peer_interface%:*}"
- # make sure we have sourceip locally in this machine
- if [ "${cmd}" = "replace" -a -n "${PLUTO_MY_SOURCEIP}" ]; then
- addsource
- # use sourceip as route default source
- parms2="${parms2} src ${PLUTO_MY_SOURCEIP}"
+ if [ "${cmd}" = "replace" ]; then
+ # make sure we have sourceip locally in this machine
+ if [ -n "${PLUTO_MY_SOURCEIP}" ]; then
+ addsource
+ # use sourceip as route default source
+ parms2="${parms2} src ${PLUTO_MY_SOURCEIP}"
+ elif [ "${FAMILY}" = "${HOST_FAMILY}" ]; then
+ # fallback to pluto host ip
+ parms2="${parms2} src ${PLUTO_ME}"
+ fi
fi
case "${PLUTO_PEER_CLIENT}" in
This follows up:
interface-ip=only allows one CIDR yetsourceip=allows two addresses. I'm guessing that's a gap. Presumablyinterface-ip=gets added unconditionally when the kernel interface device is created (which is before anything has been negotiated), but how does this relate tosourceip=. Ifinterface-ip=is redundant then this can be ignored?@wofferl @antonyantony thoughts