[strongSwan] routing all traffic through tunnel without local one
danielml+mailinglists.strongswan at sent.com
Mon Mar 8 09:54:42 CET 2010
Matthias Dahl wrote:
> And those are the routes:
> 192.168.2.0/24 dev br0 scope link metric 5
> 127.0.0.0/8 via 127.0.0.1 dev lo
> default via 192.168.2.1 dev br0 proto static src 172.31.25.1
> default via 192.168.2.1 dev br0 metric 5
> Like I said, I have no idea whatsoever but it works now. Since I am new to
let me explain what I think is the reason:
The routing table is key to answering this question.
If you send a packet to a host which is on the local subnet, say
192.168.2.1 for example, the kernel will query the routing table first.
The route that the kernel is going to pick is
192.168.2.0/24 dev br0 scope link metric 5
because it is the most specific one i.e. it has the longest prefix. This
route does not specify a source address which is why the kernel picks an
address that is assigned to br0. In your case it's 192.168.2.132, right?
Now, let's have a look at the IPsec policy:
src 172.31.25.1/32 dst 0.0.0.0/0 uid 0
It *only* applies to packets that have 172.31.25.1 as the source
address. However, the src address of your packet is different:
192.168.2.132. That's why this packet is not subject to IPsec processing.
Having said that, let us look at the default route which is
default via 192.168.2.1 dev br0 proto static src 172.31.25.1
This route is taken into account for non-local traffic. The source
address of packets that are bound for non-local destinations will be
172.31.25.1. This is why the IPsec policy is effective for non-local
So in your case, it's all about the source address.
Remember the two facts:
- IPsec policies apply only to packets with specific src and dst addresses.
- The routing table specifies (in some cases) the src address for
traffic that originates from local applications.
Does that make sense to you?
I'll try to come up with this bypass policy later today.
More information about the Users