Hi Tobais,<br> I added "charon.install_routes = no" in strongswan.conf , but still the routes are still getting installed.<br><br>Example:<br>charon {<br> # number of worker threads in charon<br> threads = 16<br>
charon.install_routes = no<br><br>}<br><br>1) When strongswan.conf will be loaded?<br>2) Will it be loaded,when we do "ipsec restart" ?<br>3) Is there any syntax error in the above example which makes thing not working?<br>
<br>Regards, <br>Saravanan N<br><br><div class="gmail_quote">On Mon, Apr 16, 2012 at 6:55 PM, SaRaVanAn <span dir="ltr"><<a href="mailto:saravanan.nagarajan87@gmail.com" target="_blank">saravanan.nagarajan87@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Tobias,<br> Thanks for your nice reply. I get back on you for further doubts on this.<br> <br>
Regards,<br> Saravanan N <br><div class="HOEnZb"><div class="h5"><br><div class="gmail_quote">On Mon, Apr 16, 2012 at 2:50 PM, Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Saravanan,<br>
<div><br>
> I have established a VPN tunnel between GW and VPN server using<br>
> Strongswan.<br>
<br>
</div>Is the tunnel between those two hosts intended as host-host tunnel or as<br>
host-net tunnel? What did you configure for left|rightsubnet?<br>
<br>
If your SPD entries are any indication it seems you configured<br>
rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> on GW. That is, you end up with this outbound<br>
IPsec policy:<br>
<div><br>
> 50.1.1.239[any] <a href="http://0.0.0.0/0%5Bany%5D" target="_blank">0.0.0.0/0[any]</a> any<br>
> out prio high + 1073739901 ipsec<br>
</div>> ...<br>
<br>
Which means that any packet leaving the host with a source address of<br>
50.1.1.239 will be sent into this tunnel.<br>
Now you'd assume that this won't apply for a ping sent from<br>
172.31.114.230 to 172.31.114.231, but if you are using IKEv2 a source<br>
route is installed which will force 50.1.1.239 as source for any packets<br>
sent from GW (i.e. also for the ICMP replies). This route is installed<br>
in routing table 220 by default (which is created with a priority of<br>
220). The table and/or priority can be changed with the<br>
charon.routing_table and charon.routing_table_prio strongswan.conf<br>
options, respectively (or with the respective ./configure arguments).<br>
To prevent the daemon from installing these routes altogether you can<br>
set charon.install_routes=no in strongswan.conf.<br>
<br>
Regards,<br>
Tobias<br>
</blockquote></div><br>
</div></div></blockquote></div><br>