[strongSwan] routing all traffic through tunnel without local one

[Daniel Mentz]

Matthias Dahl wrote:
> And those are the routes:
> 
> 192.168.2.0/24 dev br0  scope link  metric 5 
> 127.0.0.0/8 via 127.0.0.1 dev lo 
> default via 192.168.2.1 dev br0  proto static  src 172.31.25.1 
> default via 192.168.2.1 dev br0  metric 5 
> 
> Like I said, I have no idea whatsoever but it works now. Since I am new to 

Hi Matthias,

let me explain what I think is the reason:

The routing table is key to answering this question.
If you send a packet to a host which is on the local subnet, say 
192.168.2.1 for example, the kernel will query the routing table first. 
The route that the kernel is going to pick is

192.168.2.0/24 dev br0  scope link  metric 5

because it is the most specific one i.e. it has the longest prefix. This 
route does not specify a source address which is why the kernel picks an 
address that is assigned to br0. In your case it's 192.168.2.132, right?

Now, let's have a look at the IPsec policy:
src 172.31.25.1/32 dst 0.0.0.0/0 uid 0

It *only* applies to packets that have 172.31.25.1 as the source 
address. However, the src address of your packet is different: 
192.168.2.132. That's why this packet is not subject to IPsec processing.


Having said that, let us look at the default route which is

default via 192.168.2.1 dev br0  proto static  src 172.31.25.1

This route is taken into account for non-local traffic. The source 
address of packets that are bound for non-local destinations will be 
172.31.25.1. This is why the IPsec policy is effective for non-local 
traffic only.

So in your case, it's all about the source address.
Remember the two facts:

- IPsec policies apply only to packets with specific src and dst addresses.
- The routing table specifies (in some cases) the src address for 
traffic that originates from local applications.


Does that make sense to you?
I'll try to come up with this bypass policy later today.

-Daniel