[strongSwan] IPSEC remote access routing

Martin Willi martin at strongswan.org
Mon Jan 30 08:31:05 CET 2017


Hi,

> > The following is my Strongswan servers routing table (default
> > routes).
> >         nexthop via 90.225.x.x  dev vlan845 weight 1
> >         nexthop via 10.248.x.x  dev ppp1 weight 256
> >         nexthop via 85.24.x.x  dev vlan847 weight 1
> >         nexthop via 46.195.x.x  dev ppp0 weight 1

> Please don't replace IPs with the useless text "nexthop".

I assume this is a single route with multiple nexthops, a Linux
multipath route.

As strongSwan installs routes for negotiated tunnels, it must exclude
these routes from route lookups for IKE (as IKE must not be affected by
tunnel routes). This route lookup is implemented in userspace by
manually parsing the routing table.

This routing lookup is limited, though, and some more advanced
features, such as policy based routing or multipath routes, are not
supported.

As alternative, you may consider falling back to kernel based route
lookups using the fwmark option, briefly discussed in [1]. Also I have
a patch pending [2] that uses kernel-based route lookups if tunnel
route installation is disabled; likely that we can merge that for a
future release.

Regards
Martin

[1]https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan#Routing
[2]https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=c41f90fd


More information about the Users mailing list