[strongSwan] ipsec routes (220) are wrong when a default route is set

Arvid E. Picciani aep at exys.org
Sun May 4 19:05:23 CEST 2014


my tunneled traffic is on a different interface (br-wlan) than where the 
endpoint can be reached (br-lan).
the selector is 100.64.1.0/24 ->  0.0.0.0    (CIDRs below 16 dont work 
by the way, different problem)

so packages coming from 100.64.1.0 towards 8.8.8.8 will be tunneled and 
vise versa.
tcpdump reveals that an ICMP echo response from 8.8.8.8 is decrypted 
correctly, but then sent out to br-lan, which is NOT the correct route.
this only happens when there is a default route on br-lan during ipsec 
start.
apparantly the correct routes are missing in ipsecs 220 table.

$ ip route list
default via 192.168.1.1 dev br-lan
100.64.0.0/16 dev br-wlan  proto kernel  scope link  src 100.64.1.1
100.64.1.0/24 dev br-wlan  proto kernel  scope link  src 100.64.1.1
192.168.1.0/24 dev br-lan  proto kernel  scope link  src 192.168.1.102

$ ipsec restart

$ ip route list table 220
default via 192.168.1.1 dev br-lan  proto static  src 100.64.1.1
192.168.0.0/16 via 192.168.1.1 dev br-lan  proto static  src 
192.168.1.102



without a default route:


$ ip route list
54.72.251.51 via 192.168.1.1 dev br-lan
100.64.0.0/16 dev br-wlan  proto kernel  scope link  src 100.64.1.1
100.64.1.0/24 dev br-wlan  proto kernel  scope link  src 100.64.1.1
192.168.1.0/24 dev br-lan  proto kernel  scope link  src 192.168.1.102

$ ipsec restart

$ ip route list table 220
default via 192.168.1.1 dev br-lan  proto static  src 100.64.1.1
100.64.0.0/16 dev br-wlan  proto static  src 100.64.1.1
100.64.1.0/24 dev br-wlan  proto static  src 100.64.1.1
192.168.0.0/16 dev br-lan  proto static  src 192.168.1.102





More information about the Users mailing list