[strongSwan] Tunnels with dynamic IP and another route issue
Tobias Brunner
tobias at strongswan.org
Tue Apr 25 16:50:33 CEST 2017
Hi Dusan,
> default
> nexthop via 90.225.x.x dev vlan845 weight 1
> nexthop via 10.248.x.x dev ppp0 weight 256
> nexthop via 85.24.x.x dev vlan847 weight 1
> nexthop via 46.195.x.x dev ppp1 weight 1
>
> My gateway is configured to use 10.248.0.x as "default route" (highest
> weight/priority), but when Strongswan tried to initiate the tunnel it
> seems to always default too the last route, 46.195.x.x, and this wont
> work as the remote peer is expecting 85.24.x.x.
These kinds of multipath routes (via RTA_MULTIPATH) are currently not
supported by strongSwan when looking up source addresses/nexthops. The
kernel-netlink plugin only sees one of these via RTA_GATEWAY and
RTA_OIF. You could try to switch to the kernel's default route lookup
by setting either charon.install_routes=no (disables route installation
by strongSwan altogether, only works with 5.5.2), or by setting
charon.plugins.kernel-netlink.fwmark to an arbitrary number not used yet
as firewall mark (this works since 5.3.3). However, I'm not sure if
that will return different values in RTA_GATEWAY/RTA_OIF or if it would
still be necessary to parse RTA_MULTIPATH. How exactly do these kind of
kind of multipath routes compare to multiple routes with different
priorities/metrics? In your case you have multiple paths with the same
weight, how is the actual nexthop/interface chosen by the kernel?
Round-robin? Random?
Regards,
Tobias
More information about the Users
mailing list