[strongSwan-dev] [PATCH] Fix unnecessary dumping of entire routing table.

Tobias Brunner tobias at strongswan.org
Wed Sep 30 12:13:14 CEST 2015


Hi Oliver,

> So, let's take the following scenario:
> 
> left=192.0.2.1
> right=192.0.2.2
> leftsubnet=10.0.0.0/16
> rightsubnet=0.0.0.0/0
> leftsourceip=192.168.0.1
> rightsourceip=192.168.0.2

Please have a look at [1] as this config is invalid.  Let's use a
classic roadwarrior config:

right=<vpn gateway>
rightsubnet=0.0.0.0/0
leftsourceip=%config

The VPN gateway will assign a virtual IP to the client and the IPsec
policies will be for <virtual IP>/32 <-> 0.0.0.0/0.  But after
installing the virtual IP on the system the client won't automatically
use it for outbound traffic.  Instead, it would use the physical IP, but
that wouldn't match the outbound policy with a source selector of
<virtual IP>/32.  Therefore, charon will install a default route in
table 220 with that virtual IP set as source IP.  This forces the
virtual IP as source address for ALL traffic that does not match any
more specific routes in the same table (or one with higher priority) or
has not explicitly set a source IP/interface (e.g. via IP_PKTINFO).  So
even for IKE packets the virtual IP would be used as source, which we
clearly don't want.  That's why the plugin does its own route lookup to
find the actual route and source IP to reach the other peer while
ignoring such source routes installed by the daemon.  As explained in my
last email this last part won't work without dumping the whole routing
table, unless the approach with marks is used.  The found source IP is
then finally forced on IKE packets using IP_PKTINFO.

The same is true if you don't use leftsourceip but, for instance, have a
host with two interfaces one in 10.0.1.0/24 and one attached to the
public Internet and you have a config like this:

leftsubnet=10.0.1.0/24
rightsubnet=0.0.0.0/0

In order for traffic generated on the gateway itself to get tunneled,
charon will also install a source route that forces the IP in the
10.0.1.0/24 subnet installed on the internal interface as source IP for
all traffic.  As again, the source address would otherwise be the
physical IP and thus not match the IPsec policies with a source selector
of 10.0.1.0/24.  If that's unwanted the route installation can also be
disabled (charon.install_routes, however, this currently does not
disable dumping the routing table).

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp



More information about the Dev mailing list