[strongSwan] Customizing routing

Jan Palus jan.palus at gmail.com
Thu Dec 17 21:12:04 CET 2015

On 16.12.2015 14:32, Mirko Parthey wrote:
> On Sun, Dec 13, 2015 at 10:55:46PM +0100, Jan Palus wrote:
> > With kernel-netlink however I can achieve higher throughput with less
> > CPU being used, but in that case SNAT seems to fail sometimes
> > (connections are initiated correctly but "hang" after a while). Main
> > difference is the lack of dedicated interface so routing customization
> > is not required, but below SNAT rule seems to result in hanging
> > connections:
> > 
> > iptables -t nat -A POSTROUTING -o WAN -d A,B -j SNAT --to-source <virtual-ip>
> If you have set option masq for your WAN zone (set by default),
> the autogenerated MASQUERADE rule takes priority over your SNAT rule,
> assuming you entered it into /etc/firewall.user or have it generated
> by an updown script.
> VPN traffic is then erroneously mapped to the IP address of the WAN
> interface instead of the IPsec virtual IP, and does not match the
> tunnel's policy anymore.
> You should insert your SNAT as the first rule in the POSTROUTING chain,
> or restrict the scope of the WAN MASQUERADE to non-IPsec traffic.

Yes I'm aware of this, actually with proper routing rules including
source address you don't need additional SNAT -- default MASQUERADE will
work just fine.

To make sure default firewall rules are not an issue here I'm starting
with fresh chains all set to ACCEPT with only few custom entries so
that's not the root cause unfortunately. And don't get me wrong, the
tunnel works in 90% of cases and even problematic 10% is not always
deterministic. For example most of the time SVN checkout over https (few
hundred MB) fails but there are times when it succeeds. I've started
suspecting issues with MTU but neither setting it to lower value in
routing table helped nor did mangling MSS with iptables. When connection
hangs wireshark on initiating side in subnet C shows "TCP
Retransmission" packets without any further response. I will try to
investigate it deeper with TRACE, as suggested by Tobias, but first need
to find more free time.


More information about the Users mailing list