[strongSwan] unable to install source route if node has two WAN ports

[Simon Chan]

Hi Tobias,

Many thanks for your response. It works like a charm.

It turns out the table number is 12 so I can't test the patch. From 
rt_tables the main table is 255. Can you have table number higher than main? 
Just wondering.

Best Regards,
Simon

----- Original Message ----- 
From: "Tobias Brunner" <tobias at strongswan.org>
To: "Simon Chan" <simon.chan3 at yahoo.ca>
Cc: <users at lists.strongswan.org>
Sent: Friday, July 29, 2011 3:20 AM
Subject: Re: [strongSwan] unable to install source route if node has two WAN 
ports


> Hi,
>
>>     * A minor detail: the route "default via 6.6.6.x dev eth2" appears
>>       twice, one in main table and another in a user table. I have to
>>       delete both of them.
>
> Not so minor after all :)  This route is the actual culprit causing charon 
> to choose 6.6.6.254 as gateway.  If you remove the default routes from the 
> wan1 and wan2 tables charon should use 2.2.2.1 as gateway as it has the 
> lower metric in the main table.  The reason for this behavior is that when 
> doing the lookup for the nexthop we currently don't consider the rules 
> defined with ip rule.  We just dump all the routes in all the tables and 
> try to find the best match.  Now the order in which the kernel dumps the 
> tables is somehow not determined by the priority of such a table as 
> defined with ip rule, thus, the first route returned by the kernel is the 
> default route from table wan2 with 6.6.6.254 as gateway.
>
> To fix this you can try to exclude the two routing tables from the lookup. 
> First find out the numerical ID of those tables (these should be listed in 
> /etc/iproute2/rt_tables) then add them to strongswan.conf, for example:
>
> charon {
> ignore_routing_tables=110 120
> }
>
> If the IDs are greater than 255 you need a patch I just checked in [1].
>
> Regards,
> Tobias
>
> [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=2e370a30