[strongSwan] ipsec routes (220) are wrong when a default route is set
Arvid E. Picciani
aep at exys.org
Sun May 4 19:05:23 CEST 2014
my tunneled traffic is on a different interface (br-wlan) than where the
endpoint can be reached (br-lan).
the selector is 100.64.1.0/24 -> 0.0.0.0 (CIDRs below 16 dont work
by the way, different problem)
so packages coming from 100.64.1.0 towards 8.8.8.8 will be tunneled and
vise versa.
tcpdump reveals that an ICMP echo response from 8.8.8.8 is decrypted
correctly, but then sent out to br-lan, which is NOT the correct route.
this only happens when there is a default route on br-lan during ipsec
start.
apparantly the correct routes are missing in ipsecs 220 table.
$ ip route list
default via 192.168.1.1 dev br-lan
100.64.0.0/16 dev br-wlan proto kernel scope link src 100.64.1.1
100.64.1.0/24 dev br-wlan proto kernel scope link src 100.64.1.1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.102
$ ipsec restart
$ ip route list table 220
default via 192.168.1.1 dev br-lan proto static src 100.64.1.1
192.168.0.0/16 via 192.168.1.1 dev br-lan proto static src
192.168.1.102
without a default route:
$ ip route list
54.72.251.51 via 192.168.1.1 dev br-lan
100.64.0.0/16 dev br-wlan proto kernel scope link src 100.64.1.1
100.64.1.0/24 dev br-wlan proto kernel scope link src 100.64.1.1
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.102
$ ipsec restart
$ ip route list table 220
default via 192.168.1.1 dev br-lan proto static src 100.64.1.1
100.64.0.0/16 dev br-wlan proto static src 100.64.1.1
100.64.1.0/24 dev br-wlan proto static src 100.64.1.1
192.168.0.0/16 dev br-lan proto static src 192.168.1.102
More information about the Users
mailing list