[strongSwan] unable to install source route if node has two WAN ports

Simon Chan simon.chan3 at yahoo.ca
Thu Jul 28 05:30:52 CEST 2011 

Greetings everyone,

Back in Dec 2009 Johannes RuBek wrote: 

>Hello Guys,
>I've nailed the problem down to our second "wan" interface.
>We have two interfaces connected to the internet and therefore two
>default routes.
>eth4 which is connected via SDSL and ppp0 which is connected to ADSL.
>eth4 is the default route, ppp0 adds a default route to table 210, which
>is used for policy routes based on firewall marks.
>the ip on eth4 is what we have in left=.
>If i take down ppp0, strongswan installs source routes as expected.
>If ppp0 is there, strongswan gets the "Network is unreachable" error.
>I think strongswan might be confused by the two default gateways here..
>Is it possible that strongswan uses the wrong gateway as nexthop on the
>right interface?
>Do you have any suggestions for a case like that?


Two years later I am facing the exact same problem on Ubuntu 10.10 with Strongswan 4.5.1. Where do I go to report bug in Strongswan?

Overview of the setup:
  a.. Tunnel is between 192.168.1.0 and 192.168.2.0 subnets. Tunnel can only pass traffic one way, from 192.168.1.0 to 2.0 but not the other way around.
  b.. 192.168.2.1 is the end with problem. It has two WAN interfaces (call them 2.2.2.2  and 6.6.6.6). So ip route list table main shows two default routes. Also ip route list table 220 is empty.
  c.. When charon tries to setup the route, it calls get_nexthop() for 2.2.2.2. The function returns gw of 6.6.6.6 instead of gateway for 2.2.2.2.
  d.. Following that charon complains "received netlink error: no such process" and "unable to install source route for 192.168.2.1".
  e.. If I use "ip route del" to remove default routes involving the second WAN interface, charon can install the route successfully and the tunnel passes traffic both ways.
  f.. A minor detail: the route "default via 6.6.6.x dev eth2" appears twice, one in main table and another in a user table. I have to delete both of them.
Below are the specifics and syslog.

syslog
==========
charon: 05[KNL] getting a local address in traffic selector 192.168.2.0/24
charon: 05[KNL] using host 192.168.2.1
charon: 05[KNL] getting address to reach 1.1.1.1
charon: 05[KNL] getting interface name for 2.2.2.2
charon: 05[KNL] 2.2.2.2 is on interface eth1
charon: 05[KNL] installing route: 192.168.1.0/24 via 6.6.6.254 src 192.168.2.1 dev eth1
charon: 05[KNL] getting iface index for eth1
charon: 05[KNL] received netlink error: No such process (3)
charon: 05[KNL] unable to install source route for 192.168.2.1

ipsec.conf
===========
config setup
        plutostart=no

conn %default
        mobike=no
        keyexchange=ikev2
        authby=secret
        type=tunnel
        leftsubnet=192.168.2.0/24
        left=2.2.2.2

conn net2net
        right=1.1.1.1
        rightsubnet=192.168.1.0/24
        auto=route

interfaces
===========
# The primary network interface
auto eth1
iface eth1 inet static
        address 2.2.2.2
        netmask 255.255.255.248
        broadcast 2.2.2.7
        metric 90
        gateway 2.2.2.1

auto eth1:1
iface eth1:1 inet static
        address 2.2.2.3
        netmask 255.255.255.248
        broadcast 2.2.2.7

# LAN interface
auto eth0
iface eth0 inet static
        address 192.168.2.1
        netmask 255.255.255.0
        broadcast 192.168.2.255

# Extra interface 1
auto eth2
iface eth2 inet dhcp

ip route list table 220 is empty
================================
(expecting: 192.168.1.0/24 via 2.2.2.1 dev eth1  proto static  src 192.168.2.1)

ip route list table main
========================
2.2.2.0/29 dev eth1  proto kernel  scope link  src 2.2.2.2
192.168.2.0/24 dev eth0  proto kernel  scope link  src 192.168.2.1
6.6.6.0/22 dev eth2  proto kernel  scope link  src 6.6.6.6
default via 2.2.2.1 dev eth1  metric 90
default via 6.6.6.254 dev eth2  metric 100


extra info: there is another pair of default routes
involving the two wan ports
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

ip rule list
=============
0:      from all lookup local
220:    from all lookup 220
10101:  from 2.2.2.0/29 lookup wan1
10102:  from 6.6.6.0/22 lookup wan2
32766:  from all lookup main
32767:  from all lookup default

ip route list table wan1
========================
default via 2.2.2.1 dev eth1

ip route list table wan2
========================
default via 6.6.6.254 dev eth2

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110727/6055f8de/attachment.html>

More information about the Users mailing list