[strongSwan] Customizing routing

Noel Kuntze noel at familie-kuntze.de
Sat Dec 19 19:12:11 CET 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> After further experiments (without TRACE yet though) the issue seems to
> always occur when rightsubnet=0.0.0.0/0. With same configuration in place:
>
> charon.install_routes=no
Not recommended to do that, unless you know what you're doing - which
you probably don't.
>
> leftupdown script populating routing table and iptables chains:
>
> iptables -t nat -I POSTROUTING -d A,B -j SNAT --to-source $PLUTO_MY_SOURCEIP
> iptables -t nat -I POSTROUTING -o wan -m policy --dir out --pol ipsec -j ACCEPT
> ip route add A dev wan proto static scope global src $PLUTO_MY_SOURCEIP table 220
> ip route add B dev wan proto static scope global src $PLUTO_MY_SOURCEIP table 220
>
> switching  between rightsubnet=0.0.0.0/0 and rightsubnet=A either results in
> hanging connections (occasionally) or works fine. Connection is always
> tested between C and A.
That's not surprising, considering it's a POLICY based VPN, not a ROUTE based one.
Just fix the MTU and MSS and it should work.
If you use rightsubnet=0.0.0.0/0, all the traffic will be tunneled (independent of the destination,
unless you have any passthrough policies that except traffic).


- -- 

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWdZ34AAoJEDg5KY9j7GZYS48QAIKqSfzaLfDTt27+k+vgMVpG
Zi6X/p150FZC7hpUOp/whu7Eod/aVGHInKCkgblMTCE6kBExnqFIhM6TljDYzx/2
ChSxuBpf+GYkoMMprvF7hlmFIMkWirJusE6WTtiaYC2cp0nrr+7+WpzfV9ZKhU0Z
P/70tE3sS7kqQBNPHUlNQLNRhQNlYO7UtBJZJZD+3Y2CK0CKvB/VxyS+nv1Pu2Y0
d/z0eRZGBQJR42XPguYHeLrBtIMIVLntGhpQ+4C+nCsjTxTuA7riXmFZShp3cBd8
wBXFJ82vmBVTNIVe8o86bopPOUT9ITMGuFakVoR9zHWqachJi0RvB4r6mvSnsmE8
c26UnVfNsMB1RmtRMnO/L8E5yNXUZmwA9DKbfXiA47adkgwelZrIouAq9tGCJusd
jOYjvQun6E+G7FK8YC7O+Xz/IM2bWmlUcMGO0LoT/h5/D3cb7WXMXi+ASzPbYEU6
d7hDOHJ4my6HKvR+xqQhDFQ1ZEcoh5d0Hy5Bau7EgzYeoCFaIUawYJdUUa1ZnEG4
R+K15dFer6JjPYAkXwVCfz91mYIZhg3eY/wD94Rb6Fa5uSiN6z4rXE8me7jNrxgu
027+5VPxlj6YIYhTGoDXiMp6zkOy+3Ae4uNkE4pb+/QRAG3PA4HoqwNb2wfvJadO
4aE/fKBxxNrn0VGmdN8y
=IbUG
-----END PGP SIGNATURE-----

More information about the Users mailing list