[strongSwan] charon.install_routes question
Martin Willi
martin at strongswan.org
Wed Nov 26 14:02:35 CET 2014
Hi Emeric,
Kindly asking to avoid thread hijacking, please create a new mail
instead of replying to another, unrelated thread. Thanks.
> By default, the "charon.install_routes" is set to value "yes". I don't
> really understand why it is the default behavior?
While that route is not required in all cases, it certainly helps way
more than it hurts. It often "just works", but in very few cases do any
harm, at least on Linux.
> The packets are to be processed by the IPsec stack before being
> processed by the routing table, right? I'm running a FreeBSD system,
> maybe Linux's netfilter has a different behavior?
No, not in all cases. A policy is not a route, there are at least two
cases where an explicit route is required:
* If traffic originates from the local box, the kernel must choose
a source address for a destination if it is not explicitly set
by the application. On a multi-homed host, or when using a
virtual IP, the traffic gets the correct source address only if
we have an explicit route using that source address. If we don't
get the correct source address, the IPsec policy won't match,
and is not even considered for protecting your traffic.
* If you don't have a (default) route to a network you are
tunneling to, at least on Linux the kernel does not consider
forwarding your traffic. Policies are not even inspected, but
instead you get a "Network unreachable".
If implicit routes don't work for you, just disable it. In > 50% a route
is required, and in > 95% it at least doesn't hurt. In my opinion, route
installation should be definitely enabled by default.
Regards
Martin
More information about the Users
mailing list