[strongSwan] Question on selecting source address

Jaehong Park jaehong.park at illumio.com
Thu May 5 19:58:28 CEST 2016 

Hi. I found something funny.

I have a two machines having two interfaces but one default gateway.

First of all, this is my setup. (Strongswan 5.3.5)
Client machine have

eth0 10.6.1.101
eth1 10.2.1.170

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.2.0.0        *               255.255.0.0     U     1      0        0 eth1
10.6.0.0        *               255.255.0.0     U     1      0        0 eth0
default         10.6.0.1        0.0.0.0         UG    0      0        0 eth0

IPsec configuration

conn 4.0.0.10-2-1-175.0
  left=%any
  right=10.2.1.175
conn 4.0.0.10-6-1-150.0
  left=%any
  right=10.6.1.150


And server machine have

eth0 10.6.1.150
eth1 10.2.1.175

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.2.0.0        *               255.255.0.0     U     1      0        0 eth1
10.6.0.0        *               255.255.0.0     U     1      0        0 eth0
default         10.6.0.1        0.0.0.0         UG    0      0        0 eth0

IPsec configuration

conn 4.0.0.10-2-1-170.0
  left=%any
  right=10.2.1.170
conn 4.0.0.10-6-1-101.0
  left=%any
  right=10.6.1.101



And here is what I see.

because both of machine is set to %any, it will choose best source ip address when stroke try to install route.
In my case, StrongSwan installs route as follows.

Routed Connections:
4.0.0.10-6-1-150.0{2}:  ROUTED, TRANSPORT, reqid 2
4.0.0.10-6-1-150.0{2}:   10.6.1.101/32 === 10.6.1.150/32
4.0.0.10-2-1-175.0{1}:  ROUTED, TRANSPORT, reqid 1
4.0.0.10-2-1-175.0{1}:   10.6.1.101/32 === 10.2.1.175/32


Routed Connections:
4.0.0.10-6-1-101.0{2}:  ROUTED, TRANSPORT, reqid 2
4.0.0.10-6-1-101.0{2}:   10.6.1.150/32 === 10.6.1.101/32
4.0.0.10-2-1-170.0{1}:  ROUTED, TRANSPORT, reqid 1
4.0.0.10-2-1-170.0{1}:   10.6.1.150/32 === 10.2.1.170/32
Security Associations (0 up, 0 connecting):


So when the data traffic from 10.2.1.170 to 10.2.1.175 won’t trigger IKE/IPSec.

I guess this is a bug in get_route function in ./libhydra/plugins/kernel_netlink/kernel_netlink_net.c

After query RTM_GETROUTE, it will collect all the possible route entries.

With above network setup it will collect two route entries to destination 10.2.1.xx.

However only one entry will have src_host.

Then when it loop through collected route entries to get the best source ip address, depends on the order of route entries

 it will hit the entry without source ip address but OIF first, that will break right away and give that address as best address, which is not what I wanted.

Is this bug or on purpose?

And why do we collect route entry that doesn’t have source ip address in the first place when we collect route entries?

Thanks.









-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160505/aa70f1a0/attachment-0001.html>

More information about the Users mailing list