[strongSwan] Kernel deletes routes on Interface down

Andreas Hofmeister andi at collax.com
Mon Jul 25 20:14:06 CEST 2016

Hi all.

we recently stumbled across a problem where routes for established child 
SAs "suddenly" disappeared. As it turned out, this was due to the 
outgoing interface for that connection being set "down", which then 
caused the kernel to delete all routes over that interface, including 
the routes associated with that IPSec connection.

We use policy routing and "blackhole" routes to (among other things) - 
prevent unencrypted traffic to go out unencrypted, so the observable 
result then was, that no traffic could be transmitted between the endpoints.

I guess, in simpler setups, this issue would be hidden by the existence 
of a "default" route.

Now, when the interface was brought up again (before any DPD timeout can 
happen and with no address change on the interface), nothing made the 
routes re-appear.

DPD does not help here since - from the perspective of the IKE 
connection - everything appeared to be OK.

In our case, when such an interface down-up happens on the initiator 
side of the connection, we can work around this since we have some 
external observer that notices the routes disappearance and then 
re-initiates the connection.

On the responder side though (with roadwarior-style setups), said 
observer has not enough information to re-install routes on its own.

Any idea how to deal with that situation ?


More information about the Users mailing list