[strongSwan] auto=route with virtual IPs

Alexander Hill alex at hill.net.au
Thu Oct 27 08:47:03 CEST 2016 

Hello,

I'm having what seems to be a similar problem as that described in ticket
#85 (https://wiki.strongswan.org/issues/85) except that my connections are
up, I'm just not routing correctly.

My goal is to have many roadwarrior clients getting virtual dynamic IP
addresses, which I want to remain connected to the VPN as early and
reliably as possible. I thought auto=route was the best way to achieve
that. I've included my client and server ipsec.confs at the end of this
email.

When I use auto=add (or auto=start) I can get a connection with no problem,
and traffic flows. After doing so, ip route list table 220 looks like this:

172.16.0.0/16 via 192.168.1.254 dev eth0 proto static src 172.16.0.3

However if I use auto=route (or run ipsec route and then ipsec up), my
table 220 looks like this:

172.16.0.0/16 via 192.168.1.254 dev eth0 proto static

So presumably traffic is being sent with the src set to my interface's real
IP instead of the virtual one. If I remove the leftsubnet directive from
the client config, I get a route with src explicitly set to my real IP.

The trap works OK, and the connection is brought up when it should be. But
shouldn't the route be replaced by the correct on when the tunnel is
established?

Thanks,
Alex

P.S. For now I'm using auto=start with a
low charon.retry_initiate_interval, dpdaction=restart and
closeaction=restart. Is that sufficient in terms of keeping the connection
up? Once these are out in the field it's going to be inconvenient to
physically access them, so I really want to make sure the tunnel stays
active as long as an internet connection is present.

# Gateway ipsec.conf

config setup
        uniqueids=never
        charondebug="cfg 4, dmn 4, ike 4, net 4"

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2

conn my-conn
        left=%any
        leftcert=my-server-cert.pem
        leftid=my-server-fqdn.com
        leftsubnet=172.16.0.0/16
        leftauth=pubkey
        leftfirewall=yes
        right=%any
        rightsourceip=172.16.0.0/16
        auto=add


# Clients ipsec.conf

config setup

conn %default
	ikelifetime=60m
	keylife=20m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2

conn my-conn
        left=%any
        leftsourceip=%config
        leftcert=my-client-cert.pem
        leftid=my-client-fqdn.com
        leftsubnet=0.0.0.0/0
	leftfirewall=yes
        right=my-server-fqdn.com
        rightid=my-server-fqdn.com
        rightsubnet=172.16.0.0/16
        auto=add
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161027/7b9f3459/attachment.html>

More information about the Users mailing list