[strongSwan] Strongswan routing

strongswan strongswan at Nanoteq.com
Thu Nov 27 14:00:44 CET 2014

> So if I understand correctly, you are trying to establish an IPsec tunnel over an
> existing IPsec tunnel? Should host_alice create another inner tunnel over
> s2s_sun_moon?
[Riaan Kruger]

Actually it is not a tunnel inside a tunnel. The two tunnels are mostly independent and boils down to the following as seen from Sun:
  host_alice:  IKEv1/2
  host_alice:   child:  dynamic === TUNNEL
  s2s_sun_moon:  IKEv1/2
  s2s_sun_moon:   child: === TUNNEL

The question that remains for us is what flags strongswan uses when installing routes and why?
It installs routes with the U and S flags and other static routes on the same platform have the U,G and S flags.  The G flags (according to man 1 netstat) means:
G    RTF_GATEWAY      Destination requires forwarding by intermediary

Without the G flag FreeBSD tries to contact the device directly and thus attempts to find a matching MAC address for the specific policy.


Important Notice:

This e-mail and its contents are subject to the Nanoteq (Pty) Ltd e-mail legal notice available at:

More information about the Users mailing list