[strongSwan-dev] Feature request: to set whether or not to install_route for each connection setting

Tobias Brunner tobias at strongswan.org
Mon May 13 11:12:58 CEST 2019

Hi Masakazu,

> According to the following document, it is noted that in the case of Route-
> based VPN, set "charon.install_routes = 0".
> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>> First, the route installation by the IKE daemon must be disabled. To do
>> this, set charon.install_routes=0 in strongswan.conf.

That's not required for all route-based solutions.

> What if I want to mix Route-based VPN and Policy-based VPN?

You don't necessarily need the daemon to install the routes.  They might
not even be necessary (depends on the routing configuration and the
policies), or can easily be installed manually (or via script).  Also,
with XFRM interfaces, the global install_routes option does not have to
be disabled.

> It is useful to be able to do the same setting as install_routes for each
> connection setting. Like below.
> https://github.com/m-asama/strongswan/commit/d22c5f2f33659fb07b78dc297468e4e83a0b1f7d
> Is it possible to have these options added?

I'm currently not in favor of this because routes are handled/shared
kinda strangely, so side-effects are possible.  Plus there are some
other features that depend on the global option being disabled (e.g. the
fast route lookup).


More information about the Dev mailing list