[strongSwan] Customizing routing
Jan Palus
jan.palus at gmail.com
Wed Jan 13 17:03:24 CET 2016
On 19.12.2015 13:53, Jan Palus wrote:
> switching between rightsubnet=0.0.0.0/0 and rightsubnet=A either results in
> hanging connections (occasionally) or works fine. Connection is always
> tested between C and A.
While I finally managed to compile proper modules/iptables to support
TRACE I still didn't have a chance to debug issue more throughly.
However I made another observation -- if I establish connection with
rightsubnet=0.0.0.0/0 and split both routing and xfrm policy then
connection works fine. Maybe ipsec policy is applied to some packets it
should not be applied if policy is created against 0.0.0.0/0 -- openwrt
maintains quite a few patches that might affect it.
I've started wondering though -- would it be possible to add new feature
to strongswan so client side splitting is performed automatically? All
the code should be there already -- if I understand correctly that's
what unity plugin implements among other things. The difference would be
in a source of splitting information (either provided by peer in case of
unity or configured manually for the new feature).
Regards
Jan
More information about the Users
mailing list