[strongSwan] Multiple subnets in local_ts not installing desired route

Jonathan Chocron jonathan.chocron at icloud.com
Tue Mar 1 14:15:00 CET 2022 

Hi,

I’ve been banging my head on this problem and I think I need help. I have two linux gateways, both running Strongswan under Debian. I am using swanctl.
GW1 only has one local subnet (10.195.196.0/24), when GW2 has two subnets (10.200.201.0/24 and 10.200.209.0/24).

On GW1, I have the following configuration:

connections {
   conn1 {
        version=2
        remote_addrs=vpn.cholli-perche.org
        local_addrs=vpn.cholli.org
        dpd_delay = 30s
        mobike=no

        children {
             conn1  {
                dpd_action = trap
                start_action = start
                remote_ts=10.200.209.0/24,10.200.201.0/24
                local_ts=10.195.196.0/24
                ipcomp=no
            }
        }
        local {
            auth = psk
            id = router.cholli.org
        }
        remote {
            auth = psk
            id = vpn.cholli-perche.org
        }
    }
}



On GW2 I have this configuration:

connections {
   conn1 {
        version=2
        reauth_time=0s
        rekey_time=0s
        remote_addrs=vpn.cholli.org
        local_addrs=vpn.cholli-perche.org
        dpd_delay=30s
        mobike= no

        children {
             conn1  {
                start_action=start
                dpd_action=trap
                local_ts = 10.200.201.0/24,10.200.209.0/24
                remote_ts = 10.195.196.0/24
                ipcomp = no
            }

        }

        local {
            auth = psk
            id = @vpn.cholli-perche.org
        }
        remote {
            auth = psk
            id = router.cholli.org
        }
    }

}


GW1 and everything behind it can connect to GW2 and everything behind it, in both subnets.
However, GW2 only installs the following route:

ip route show table 220
10.195.196.0/24 dev enp2s0 proto static src 10.200.209.1 

As a result of this all packets from GW2 originate from 10.200.209.1 by default. The problem is that this network is my IoT network, which I consider insecure. Consequently, GW1 will reject traffic from this network unless GW1 has initiated the connection.

In short I need Strongswan to install this route instead:
10.195.196.0/24 dev enp2s0 proto static src 10.200.201.1

I have tried inverting the local_ts list, and using traffic selectors (although I’d need a wildcard), but haven’t been able to make it work. I have no idea how Strongswan chooses the interface it sets up in the routing table.

I’d be very grateful for any pointers on how to deal with this.

Kind regards,

Jonathan 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220301/a5350df2/attachment.html>

More information about the Users mailing list