[strongSwan] Customizing routing

Sun Dec 13 22:55:46 CET 2015

Hi,

I'm new to strongswan and ipsec in general but so far all seems to go
flawlessly -- client connection is established successfully and I can
access VPN resources. Some details about my setup:

- ipsec connection is established with gateway GW over ikev1
- GW gives virtual IP and provides access to multiple independent
  subnets, for the sake of this post let's assume there are two subnets A
  and B
- to give access to all subnets rightsbunet=0.0.0.0/0 (GW does not
  support unity extension)
- strongswan connecting to GW is running on openwrt based router which
  also SNATs tunneled traffic from internal subnet C GW does not know about
- to avoid routing all traffic through GW I am customizing routing table
  in leftupdown so only A and B are tunnelled

_______
|     | \
|  A  |  \                                            _______
|_____|   \                                           |     |
           \  GW  <-------> OPENWRT (STRONGSWAN) ---- |  C  |
-------    /                                          |_____|
|     |   /
|  B  |  /
|_____| /

Now above setup works perfectly as long as kernel-libipsec is used, which
creates dedicated ipsec0 interface. Both routing and MASQUERADE are
using it:

ip r add A dev ipsec0 table 220
ip r add B dev ipsec0 table 220
iptables -t nat -A POSTROUTING -o ipsec0 -j MASQUERADE

With kernel-netlink however I can achieve higher throughput with less
CPU being used, but in that case SNAT seems to fail sometimes
(connections are initiated correctly but "hang" after a while). Main
difference is the lack of dedicated interface so routing customization
is not required, but below SNAT rule seems to result in hanging
connections:

iptables -t nat -A POSTROUTING -o WAN -d A,B -j SNAT --to-source <virtual-ip>

Is there anything I am missing? Would it be possible to have virtual
interface but with kernel-netlink?

Regards
Jan