[strongSwan] IPSEC remote access routing

dusan at comhem.se dusan at comhem.se
Mon Jan 30 09:40:56 CET 2017


I have just masked the IP-adresses for security reasons, and nexthop just means that my gateway is using multipath routing (load balancing)

I have disabled table 220, Strongswans now puts it's routes in the main routing table and in this table is also the multipath default routes. That's why I don't understand why the traffic defaults out on the incoming IPsec interface, when this interface has a lower priority. The Linux kernel is handling the routing correct for local network devices, using the highest prioritized route, but not for IPsec clients.

>----Ursprungligt meddelande----
>Från : noel at familie-kuntze.de
>Datum : 30/01/2017 - 00:26 (V)
>Till : dusan at comhem.se, users at lists.strongswan.org
>Ämne : Re: [strongSwan] IPSEC remote access routing
>On 29.01.2017 22:23, Dusan Ilic wrote:
>> The following is my Strongswan servers routing table (default routes).
>>         nexthop via 90.225.x.x  dev vlan845 weight 1
>>         nexthop via 10.248.x.x  dev ppp1 weight 256
>>         nexthop via 85.24.x.x  dev vlan847 weight 1
>>         nexthop via 46.195.x.x  dev ppp0 weight 1
>Please don't replace IPs with the useless text "nexthop".
>If you replace them, replace them with values that make sense.
>> Strongswan listens on vlan847 so that's where the remote access clients are connecting, and also their internet traffic are going out that interface, despite ppp1 has the highest priority. Every LAN-client on the Strongswan network are primarily using ppp1, so the routing do work locally, but not for the VPN-clients.
>What's in table 220? The kernel handles the traffic, so it has to obey the routing rules and -tables. Maybe disable the installation of routes in strongSwan.conf, if there are routes in table 220 and you don't need the. Remove parts you don't necessarily need.
>You need to take a look at your iptables and routing rules, if you use policy based routing.
>Mit freundlichen Grüßen/Kind Regards,
>Noel Kuntze
>GPG Key ID: 0x63EC6658
>Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

More information about the Users mailing list