[strongSwan] Tunnels with dynamic IP and another route issue

Tobias Brunner tobias at strongswan.org
Tue Apr 25 16:50:33 CEST 2017

Hi Dusan,

> default
>          nexthop via 90.225.x.x  dev vlan845 weight 1
>          nexthop via 10.248.x.x  dev ppp0 weight 256
>          nexthop via 85.24.x.x  dev vlan847 weight 1
>          nexthop via 46.195.x.x  dev ppp1 weight 1
> My gateway is configured to use 10.248.0.x as "default route" (highest 
> weight/priority), but when Strongswan tried to initiate the tunnel it 
> seems to always default too the last route, 46.195.x.x, and this wont 
> work as the remote peer is expecting 85.24.x.x.

These kinds of multipath routes (via RTA_MULTIPATH) are currently not
supported by strongSwan when looking up source addresses/nexthops.  The
kernel-netlink plugin only sees one of these via RTA_GATEWAY and
RTA_OIF.  You could try to switch to the kernel's default route lookup
by setting either charon.install_routes=no (disables route installation
by strongSwan altogether, only works with 5.5.2), or by setting
charon.plugins.kernel-netlink.fwmark to an arbitrary number not used yet
as firewall mark (this works since 5.3.3).  However, I'm not sure if
that will return different values in RTA_GATEWAY/RTA_OIF or if it would
still be necessary to parse RTA_MULTIPATH.  How exactly do these kind of
kind of multipath routes compare to multiple routes with different
priorities/metrics?  In your case you have multiple paths with the same
weight, how is the actual nexthop/interface chosen by the kernel?
Round-robin?  Random?


More information about the Users mailing list