[strongSwan] routing all traffic through tunnel without local one

Daniel Mentz danielml+mailinglists.strongswan at sent.com
Mon Mar 8 09:54:42 CET 2010

Matthias Dahl wrote:
> And those are the routes:
> dev br0  scope link  metric 5 
> via dev lo 
> default via dev br0  proto static  src 
> default via dev br0  metric 5 
> Like I said, I have no idea whatsoever but it works now. Since I am new to 

Hi Matthias,

let me explain what I think is the reason:

The routing table is key to answering this question.
If you send a packet to a host which is on the local subnet, say for example, the kernel will query the routing table first. 
The route that the kernel is going to pick is dev br0  scope link  metric 5

because it is the most specific one i.e. it has the longest prefix. This 
route does not specify a source address which is why the kernel picks an 
address that is assigned to br0. In your case it's, right?

Now, let's have a look at the IPsec policy:
src dst uid 0

It *only* applies to packets that have as the source 
address. However, the src address of your packet is different: That's why this packet is not subject to IPsec processing.

Having said that, let us look at the default route which is

default via dev br0  proto static  src

This route is taken into account for non-local traffic. The source 
address of packets that are bound for non-local destinations will be This is why the IPsec policy is effective for non-local 
traffic only.

So in your case, it's all about the source address.
Remember the two facts:

- IPsec policies apply only to packets with specific src and dst addresses.
- The routing table specifies (in some cases) the src address for 
traffic that originates from local applications.

Does that make sense to you?
I'll try to come up with this bypass policy later today.


More information about the Users mailing list