[strongSwan] routing issue with IKEv1 tunnels after upgrade to 4.5.0
tobias at strongswan.org
Tue Dec 7 12:17:12 CET 2010
> If "defaultTunnel" is established first and t1 second, the strongSwan
> server receives the traffic from the tunnel t1 but doesn't send back
> packets through it. The traffic seems to always be routed to the
> tunnel "defaultTunnel". If t1 is established first and
> "defaultTunnel" second, it works.
> Any ideas why this doesn't work anymore after upgrading? Is there a
> way to ensure this always work regardless of the connection
> establishment order?
The observed behavior is due to a difference between pluto's 4.4.1
kernel interface and charon's kernel interface plugins which pluto uses
in 4.5.0. The difference is the calculation of the priorities assigned
to policies installed in the kernel. Whereas pluto did include the
netmask of the destination net in this calculation, charon did not so
far. Thus, the priorities of the policies installed in your case are
equal and the kernel obviously chooses the one installed first. I
commited a patch to master  which changes the kernel interfaces to
include the destination net into the priority calculation.
More information about the Users