[strongSwan] Customizing routing

[Jan Palus]

On 15.12.2015 11:00, Tobias Brunner wrote:
> Hi Jan,
> 
> > With kernel-netlink however I can achieve higher throughput with less
> > CPU being used, but in that case SNAT seems to fail sometimes
> > (connections are initiated correctly but "hang" after a while). Main
> > difference is the lack of dedicated interface so routing customization
> > is not required, but below SNAT rule seems to result in hanging
> > connections:
> > 
> > iptables -t nat -A POSTROUTING -o WAN -d A,B -j SNAT --to-source <virtual-ip>
> 
> This is about the same rule that's used in the updown script in [1].  It
> might help if you tried to debug what happens in Netfilter via the TRACE
> target (see e.g. [2]).
> 
> Regards,
> Tobias
> 
> [1] https://www.strongswan.org/testing/testresults/ikev1/nat-virtual-ip/
> [2] http://backreference.org/2010/06/11/iptables-debugging/

After further experiments (without TRACE yet though) the issue seems to
always occur when rightsubnet=0.0.0.0/0. With same configuration in place:

charon.install_routes=no

leftupdown script populating routing table and iptables chains:

iptables -t nat -I POSTROUTING -d A,B -j SNAT --to-source $PLUTO_MY_SOURCEIP
iptables -t nat -I POSTROUTING -o wan -m policy --dir out --pol ipsec -j ACCEPT
ip route add A dev wan proto static scope global src $PLUTO_MY_SOURCEIP table 220
ip route add B dev wan proto static scope global src $PLUTO_MY_SOURCEIP table 220

switching  between rightsubnet=0.0.0.0/0 and rightsubnet=A either results in
hanging connections (occasionally) or works fine. Connection is always
tested between C and A.