<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi,<br class=""><br class="">I’ve been banging my head on this problem and I think I need help. I have two linux gateways, both running Strongswan under Debian. I am using swanctl.<br class="">GW1 only has one local subnet (10.195.196.0/24), when GW2 has two subnets (10.200.201.0/24 and 10.200.209.0/24).<br class=""><br class="">On GW1, I have the following configuration:<br class=""><br class=""><b class="">connections {<br class=""> conn1 {<br class=""> version=2<br class=""> remote_addrs=<a href="http://vpn.cholli-perche.org" class="">vpn.cholli-perche.org</a><br class=""> local_addrs=<a href="http://vpn.cholli.org" class="">vpn.cholli.org</a><br class=""> dpd_delay = 30s<br class=""> mobike=no<br class=""><br class=""> children {<br class=""> conn1 {<br class=""> dpd_action = trap<br class=""> start_action = start<br class=""> remote_ts=10.200.209.0/24,10.200.201.0/24<br class=""> local_ts=10.195.196.0/24<br class=""> ipcomp=no<br class=""> }<br class=""> }<br class=""> local {<br class=""> auth = psk<br class=""> id = <a href="http://router.cholli.org" class="">router.cholli.org</a><br class=""> }<br class=""> remote {<br class=""> auth = psk<br class=""> id = <a href="http://vpn.cholli-perche.org" class="">vpn.cholli-perche.org</a><br class=""> }<br class=""> }<br class="">}<br class=""></b><br class=""><br class=""><br class="">On GW2 I have this configuration:<br class=""><br class=""><b class="">connections {<br class=""> conn1 {<br class=""> version=2<br class=""> reauth_time=0s<br class=""> rekey_time=0s<br class=""> remote_addrs=<a href="http://vpn.cholli.org" class="">vpn.cholli.org</a><br class=""> local_addrs=<a href="http://vpn.cholli-perche.org" class="">vpn.cholli-perche.org</a><br class=""> dpd_delay=30s<br class=""> mobike= no<br class=""><br class=""> children {<br class=""> conn1 {<br class=""> start_action=start<br class=""> dpd_action=trap<br class=""> local_ts = 10.200.201.0/24,10.200.209.0/24<br class=""> remote_ts = 10.195.196.0/24<br class=""> ipcomp = no<br class=""> }<br class=""><br class=""> }<br class=""><br class=""> local {<br class=""> auth = psk<br class=""> id = @vpn.cholli-perche.org<br class=""> }<br class=""> remote {<br class=""> auth = psk<br class=""> id = <a href="http://router.cholli.org" class="">router.cholli.org</a><br class=""> }<br class=""> }<br class=""><br class="">}</b><br class=""><br class=""><br class="">GW1 and everything behind it can connect to GW2 and everything behind it, in both subnets.<br class="">However, GW2 only installs the following route:<br class=""><br class=""><b class="">ip route show table 220<br class="">10.195.196.0/24 dev enp2s0 proto static src 10.200.209.1 </b><div class=""><br class=""></div><div class="">As a result of this all packets from GW2 originate from 10.200.209.1 by default. The problem is that this network is my IoT network, which I consider insecure. Consequently, GW1 will reject traffic from this network unless GW1 has initiated the connection.</div><div class=""><br class=""></div><div class="">In short I need Strongswan to install this route instead:</div><div class=""><b class="">10.195.196.0/24 dev enp2s0 proto static src 10.200.201.1</b></div><div class=""><b class=""><br class=""></b></div><div class="">I have tried inverting the local_ts list, and using traffic selectors (although I’d need a wildcard), but haven’t been able to make it work. I have no idea how Strongswan chooses the interface it sets up in the routing table.</div><div class=""><b class=""><br class=""></b></div><div class="">I’d be very grateful for any pointers on how to deal with this.</div><div class=""><b class=""><br class=""></b></div><div class="">Kind regards,</div><div class=""><br class=""></div><div class="">Jonathan<b class=""> </b></div></body></html>