[strongSwan] Strongswan routing
strongswan at Nanoteq.com
Thu Nov 27 14:00:44 CET 2014
> So if I understand correctly, you are trying to establish an IPsec tunnel over an
> existing IPsec tunnel? Should host_alice create another inner tunnel over
Actually it is not a tunnel inside a tunnel. The two tunnels are mostly independent and boils down to the following as seen from Sun:
host_alice: 192.168.0.2...10.1.0.10 IKEv1/2
host_alice: child: dynamic === 10.1.0.10/32 TUNNEL
s2s_sun_moon: 192.168.0.2...192.168.0.1 IKEv1/2
s2s_sun_moon: child: 10.2.0.0/16 === 10.1.0.0/16 TUNNEL
The question that remains for us is what flags strongswan uses when installing routes and why?
It installs routes with the U and S flags and other static routes on the same platform have the U,G and S flags. The G flags (according to man 1 netstat) means:
G RTF_GATEWAY Destination requires forwarding by intermediary
Without the G flag FreeBSD tries to contact the device directly and thus attempts to find a matching MAC address for the specific policy.
This e-mail and its contents are subject to the Nanoteq (Pty) Ltd e-mail legal notice available at:
More information about the Users