<div dir="ltr"><div>Hello,</div><div><br></div><div>I'm having what seems to be a similar problem as that described in ticket #85 (<a href="https://wiki.strongswan.org/issues/85">https://wiki.strongswan.org/issues/85</a>) except that my connections are up, I'm just not routing correctly.</div><div><br></div><div>My goal is to have many roadwarrior clients getting virtual dynamic IP addresses, which I want to remain connected to the VPN as early and reliably as possible. I thought auto=route was the best way to achieve that. I've included my client and server ipsec.confs at the end of this email.</div><div><br></div><div>When I use auto=add (or auto=start) I can get a connection with no problem, and traffic flows. After doing so, <font face="monospace">ip route list table 220</font> looks like this:</div><div><br></div><div><font face="monospace"><a href="http://172.16.0.0/16">172.16.0.0/16</a> via 192.168.1.254 dev eth0 proto static src 172.16.0.3<br></font></div><div><br></div><div>However if I use auto=route (or run <font face="monospace">ipsec route</font> and then <font face="monospace">ipsec up</font>), my table 220 looks like this:</div><div><br></div><div><font face="monospace"><a href="http://172.16.0.0/16">172.16.0.0/16</a> via 192.168.1.254 dev eth0 proto static<br></font></div><div><br></div><div>So presumably traffic is being sent with the src set to my interface's real IP instead of the virtual one. If I remove the leftsubnet directive from the client config, I get a route with src explicitly set to my real IP.</div><div><br></div><div>The trap works OK, and the connection is brought up when it should be. But shouldn't the route be replaced by the correct on when the tunnel is established?</div><div><br></div><div>Thanks,</div><div>Alex</div><div><br></div><div>P.S. For now I'm using auto=start with a low charon.retry_initiate_interval, dpdaction=restart and closeaction=restart. Is that sufficient in terms of keeping the connection up? Once these are out in the field it's going to be inconvenient to physically access them, so I really want to make sure the tunnel stays active as long as an internet connection is present.</div><div><br></div><div><pre># Gateway ipsec.conf
config setup
uniqueids=never
charondebug="cfg 4, dmn 4, ike 4, net 4"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn my-conn
left=%any
leftcert=my-server-cert.pem
leftid=<a href="http://my-server-fqdn.com">my-server-fqdn.com</a>
leftsubnet=<a href="http://172.16.0.0/16">172.16.0.0/16</a>
leftauth=pubkey
leftfirewall=yes
right=%any
rightsourceip=<a href="http://172.16.0.0/16">172.16.0.0/16</a>
auto=add
# Clients ipsec.conf
config setup
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn my-conn
left=%any
leftsourceip=%config
leftcert=my-client-cert.pem
leftid=<a href="http://my-client-fqdn.com">my-client-fqdn.com</a>
leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a>
leftfirewall=yes
right=<a href="http://my-server-fqdn.com">my-server-fqdn.com</a>
rightid=<a href="http://my-server-fqdn.com">my-server-fqdn.com</a>
rightsubnet=<a href="http://172.16.0.0/16">172.16.0.0/16</a>
auto=add
</pre></div></div>