[strongSwan] routing issue with IKEv1 tunnels after upgrade to 4.5.0

Tobias Brunner tobias at strongswan.org
Tue Dec 7 12:17:12 CET 2010

Hi Benoit,

 > If "defaultTunnel" is established first and t1 second, the strongSwan
 > server receives the traffic from the tunnel t1 but doesn't send back
 > packets through it. The traffic seems to always be routed to the
 > tunnel "defaultTunnel". If t1 is established first and
 > "defaultTunnel" second, it works.
 > Any ideas why this doesn't work anymore after upgrading? Is there a
 > way to ensure this always work regardless of the connection
 > establishment order?

The observed behavior is due to a difference between pluto's 4.4.1 
kernel interface and charon's kernel interface plugins which pluto uses 
in 4.5.0.  The difference is the calculation of the priorities assigned 
to policies installed in the kernel.  Whereas pluto did include the 
netmask of the destination net in this calculation, charon did not so 
far.  Thus, the priorities of the policies installed in your case are 
equal and the kernel obviously chooses the one installed first.  I 
commited a patch to master [1] which changes the kernel interfaces to 
include the destination net into the priority calculation.


[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=e6f42b07

More information about the Users mailing list