[strongSwan] charon.install_routes question

Martin Willi martin at strongswan.org
Wed Nov 26 14:02:35 CET 2014


Hi Emeric,

Kindly asking to avoid thread hijacking, please create a new mail
instead of replying to another, unrelated thread. Thanks.

> By default, the "charon.install_routes" is set to value "yes". I don't
> really understand why it is the default behavior?

While that route is not required in all cases, it certainly helps way
more than it hurts. It often "just works", but in very few cases do any
harm, at least on Linux.

> The packets are to be processed by the IPsec stack before being
> processed by the routing table, right? I'm running a FreeBSD system,
> maybe Linux's netfilter has a different behavior?

No, not in all cases. A policy is not a route, there are at least two
cases where an explicit route is required:

      * If traffic originates from the local box, the kernel must choose
        a source address for a destination if it is not explicitly set
        by the application. On a multi-homed host, or when using a
        virtual IP, the traffic gets the correct source address only if
        we have an explicit route using that source address. If we don't
        get the correct source address, the IPsec policy won't match,
        and is not even considered for protecting your traffic.
      * If you don't have a (default) route to a network you are
        tunneling to, at least on Linux the kernel does not consider
        forwarding your traffic. Policies are not even inspected, but
        instead you get a "Network unreachable".

If implicit routes don't work for you, just disable it. In > 50% a route
is required, and in > 95% it at least doesn't hurt. In my opinion, route
installation should be definitely enabled by default.

Regards
Martin



More information about the Users mailing list