[strongSwan] routing all traffic through tunnel without local one

Matthias Dahl ml-strongswan at binary-island.eu
Sun Mar 7 16:00:59 CET 2010


Hello everyone.

I have the following setup: I have a strongSwan server on a public ip which 
has no local subnet behind it. Now if I connect to it with strongSwan from my 
local machine which is on a local network behind a router, I can connect to 
it, ping it and use the services of my server just fine.

The problem: I want to route all my internet traffic through the server and 
the local traffic should stay on the local net.

No matter what I do, I cannot get this to work. If I use the config at the end 
of this mail, I end up with those policies on the client:

src 0.0.0.0/0 dst SERVER_IP/32 
        dir fwd priority 2000 
        tmpl src SERVER_IP dst 192.168.2.132
                proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 172.31.25.1/32 
        dir in priority 2000 
        tmpl src SERVER_IP dst 192.168.2.132
                proto esp reqid 1 mode tunnel
src 172.31.25.1/32 dst 0.0.0.0/0 
        dir out priority 1680 
        tmpl src 192.168.2.132 dst SERVER_IP
                proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 3 priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 4 priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 3 priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 4 priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 3 priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 4 priority 0 

Now _all_ traffic is routed through the tunnel, no matter if it is for the 
local network or not. If I comment the appropriate LEFT|RIGHTSUBNET=0.0... 
lines, I get the following policies:

src SERVER_IP/32 dst 172.31.25.1/32 
        dir fwd priority 1680 
        tmpl src SERVER_IP dst 192.168.2.132
                proto esp reqid 1 mode tunnel
src SERVER_IP/32 dst 172.31.25.1/32 
        dir in priority 1680 
        tmpl src SERVER_IP dst 192.168.2.132
                proto esp reqid 1 mode tunnel
src 172.31.25.1/32 dst SERVER_IP/32 
        dir out priority 1680 
        tmpl src 192.168.2.132 dst SERVER_IP
                proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 3 priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 4 priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 3 priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 4 priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 3 priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        dir 4 priority 0 

I tried almost everything so far but I cannot come up with a working solution. 
By the way, table 220 is always empty on the client side.

I am using strongswan 4.3.6 on kernel 2.6.32.8 (server and client).

I would really appreciate any help or hints what else I could do to fix this.
Thanks a lot in advance for taking the care.

Best regards
matthias

Configuration: SERVER)

config setup
        nat_traversal=yes
        charonstart=yes
        plutostart=no

ca "XXX CA"
      cacert=ca.cert.der
      auto=add

conn "XXX"
      left=%defaultroute
      leftcert=XXX
      leftsendcert=never
      leftsubnet=0.0.0.0/0
      right=%any
      rightsourceip=172.31.25.0/24
      rightcert=XXX
      installpolicy=yes
      keyexchange=ikev2
      mobike=yes
      auto=add

Configuration: CLIENT)

config setup
        nat_traversal=yes
        charonstart=yes
        plutostart=no

ca "XXX CA"
      cacert=ca.cert.der
      auto=add

conn "XXX"
      left=%defaultroute
      leftsourceip=%config
      rightsubnet=0.0.0.0/0
      leftcert=XXX
      right=XXX
      rightcert=XXX
      installpolicy=yes
      keyexchange=ikev2
      mobike=yes
      auto=add




More information about the Users mailing list