[strongSwan] Problem getting default route over IPsec tunnel

[Heiko Wundram]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey all,

I'm currently somewhat stumped getting a default route (for a specific
network) to go through an IPsec tunnel that's set up with Strongswan
(Charon, IKEv2). First, the Tunnel configuration for the VPN server:

conn %default
        # Default setup.
        keyexchange=ikev2
        authby=secret
        compress=yes
        mobike=no

conn uplink-v4
        # Connection info.
        left=gw
        leftsubnet=0.0.0.0/0
        leftid=@gw
        right=%any
        rightsubnet=10.252.16.0/20
        rightid=@cli
        dpdaction=clear
        auto=add

The client (router) for the specified network has similar defaults
with the reverse configuration:

conn uplink-v4
        # Connection info.
        left=%defaultroute
        leftsubnet=10.252.16.0/20
        leftid=@cli
        leftupdown=/etc/ipsec.d/uplink
        right=gw
        rightsubnet=0.0.0.0/0
        rightid=@gw
        dpdaction=restart
        auto=start

Due to the fact that I need to add the default gateway to a specific
routing table, I've disabled charon.install_routes on the system. The
leftupdown script on the client sets up the following routes for the
network:

/sbin/ip route add default dev eth1 metric 1 table uplink
/sbin/ip route add 10.252.0.0/20 dev eth1 metric 1 table uplink

where eth1 is the interface where the default gateway is located on
and where another part of the system sets up an ip routing rule to
redirect traffic with src 10.252.16.0/20 to the corresponding routing
table, with table 220 being empty:

0:      from all lookup local
220:	from all lookup 220
2001:   from 10.252.16.0/20 lookup uplink
32766:  from all lookup main
32767:  from all lookup default

As another part of the setup sets up a blackhole route for the larger
network 10.252.0.0/18, the default and (existing part) remote network
rules need to be split as marked above.

The IKEv2 peers can negotiate and properly set up the SAs (and the
kernel policies from what I can see from ip xfrm policy), but still,
it doesn't seem that traffic is able to pass via the default route,
and the system starts behaving very strangely for traffic that's
passed to the uplink table (it sends all traffic, even that which has
different rules for direct interface routes, to the uplink, and such).

Is this scenario supported, and what can I do to debug this further?
Am I doing something horribly wrong setting up the routes for ipsec?
Is there any documentation to look for further info (I find the
StrongSwan documentation on manual route setup very lacking, i.e.
nonexistant)?

Thanks in advance for any hints!

- -- 
Heiko Wundram.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWIu4RAAoJEJ/eyTFUqXhd/C8QALBVq+pUG/J1hX4FAfYlzyMK
BSWlmSqkzfUfTgTHZv5M9E49ui4HnBTiMlSCZugPm11+sU8niXmOqa118INM3luf
PV6sKrMMnK7Ar+zhx2oduAo1AC1/Z30v2noGdRZ5A8Xu99KysiqysWJ+7Ue9+KHz
f3cUMX/CA3RG5V6Lj0eEWFLq9cn1OdlKAu1+s8zitU9UDVk+ffQcKUxXl+jkM9r+
MCt09Qivv/6xsZ0nwjIlp3xU4yN9EBUcKwooKTl0lVAS2Wc9HxZtL9OjhqYaN9Gm
yhoOg0e+BZGCBcRpb5grf2aRIn/m4JILtfrgr+hyWJZPCvj/KAyb0c19kliYUnKP
Yo91OZ0jUk8l745z6X/mbqv0qKqSgGvTKmT0WD70BlQnr303a0gfZoYsZpcTJabj
1NlunzabNZTp+KiTuae+IzW2sWEEdIBsgvjjz5ga2s7acch9Ut8Rf9a1uvIHvJNk
2CNOaDyeXtyTzKBj6HYKAxJ/xHPD1fTz5sx031mToy/4z0dao+mCAAgEPVAB5DKF
RRtrBR5HmjsYLC58YdmubfYjCb+DY5MntQNGKU5UvF3th1zDcnX3cF3lY6Ks9EB5
l/yjWgULQcpnEN7MuR6ERIvbN9QwCNok/ZJYKCAuQ4z1Kw8gfVQZR0b8YGTeRzcn
DbFk+pN/BmybInyfOzp4
=4A1F
-----END PGP SIGNATURE-----