<div dir="ltr">Hi Noel,<div><br></div><div>Thanks for the suggestion, I tried that. I<span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif">f I remove the leftsubnet directive from the client config, I get a route with src explicitly set to my interface's real IP, which has the same effect. I also tried setting it to the virtual IP pool, and the current virtual IP under lease, to no avail. I'll double check tomorrow but I think one or both of those resulted in no route being added at all.</span></div><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif"><br></font></div><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif">It seems to me like the correct route can only be added at connection time, because it needs the virtual IP that might not have been assigned yet, but the sans-src route is necessary before then to make the trap work. So the route needs to be replaced when a connection is established, but I can't work out how to make strongswan do that.</font></div><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif"><br></font></div><div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif">Any other ideas of how to make this work? I know updown.sh is there as a last resort but I'm hoping to stick to simple configuration.</span></div><div><span style="color:rgb(33,33,33);font-family:"helvetica neue",helvetica,arial,sans-serif"><br></span></div><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif">Thanks,</font></div><div><font color="#212121" face="helvetica neue, helvetica, arial, sans-serif">Alex</font></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, 27 Oct 2016 at 23:49 Noel Kuntze <<a href="mailto:noel@familie-kuntze.de">noel@familie-kuntze.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">><br class="gmail_msg">
> <a href="http://172.16.0.0/16" rel="noreferrer" class="gmail_msg" target="_blank">172.16.0.0/16</a> via 192.168.1.254 dev eth0 proto static src 172.16.0.3<br class="gmail_msg">
><br class="gmail_msg">
> However if I use auto=route (or run ipsec route and then ipsec up), my table 220 looks like this:<br class="gmail_msg">
><br class="gmail_msg">
> <a href="http://172.16.0.0/16" rel="noreferrer" class="gmail_msg" target="_blank">172.16.0.0/16</a> via 192.168.1.254 dev eth0 proto static<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
As I wrote on IRC, that's because of this setting on the client.<br class="gmail_msg">
> leftsubnet=<a href="http://0.0.0.0/0" rel="noreferrer" class="gmail_msg" target="_blank">0.0.0.0/0</a><br class="gmail_msg">
Remove it.<br class="gmail_msg">
<br class="gmail_msg">
--<br class="gmail_msg">
<br class="gmail_msg">
Mit freundlichen Grüßen/Kind Regards,<br class="gmail_msg">
Noel Kuntze<br class="gmail_msg">
<br class="gmail_msg">
GPG Key ID: 0x63EC6658<br class="gmail_msg">
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
</blockquote></div>