[strongSwan] IPSEC remote access routing

dusan at comhem.se dusan at comhem.se
Mon Jan 30 09:47:50 CET 2017


>----Ursprungligt meddelande----
>Från : martin at strongswan.org
>Datum : 30/01/2017 - 08:31 (V)
>Till : dusan at comhem.se
>Kopia : noel at familie-kuntze.de, users at lists.strongswan.org
>Ämne : Re: [strongSwan] IPSEC remote access routing
>
>Hi,
>
>> > The following is my Strongswan servers routing table (default
>> > routes).
>> >         nexthop via 90.225.x.x  dev vlan845 weight 1
>> >         nexthop via 10.248.x.x  dev ppp1 weight 256
>> >         nexthop via 85.24.x.x  dev vlan847 weight 1
>> >         nexthop via 46.195.x.x  dev ppp0 weight 1
>
>> Please don't replace IPs with the useless text "nexthop".
>
>I assume this is a single route with multiple nexthops, a Linux
>multipath route.
>
>As strongSwan installs routes for negotiated tunnels, it must exclude
>these routes from route lookups for IKE (as IKE must not be affected by
>tunnel routes). This route lookup is implemented in userspace by
>manually parsing the routing table.
>
>This routing lookup is limited, though, and some more advanced
>features, such as policy based routing or multipath routes, are not
>supported.
>
>As alternative, you may consider falling back to kernel based route
>lookups using the fwmark option, briefly discussed in [1]. Also I have
>a patch pending [2] that uses kernel-based route lookups if tunnel
>route installation is disabled; likely that we can merge that for a
>future release.
>
>Regards
>Martin
>
>[1]https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan#Routing
>[2]https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=c41f90fd
>

Hi Martin,

Yes, that's correct, it's a multipath route.
Now i'm a little but unsure what I have to do to make this the way I want it. Do you think maybe you could clarify?
I just thought that when the IPsec client traffic reaches the gateway (strongswan server), the Linux kernel routing takes over and uses the default routing on the gateway. I have disabled Strongswan route installation in it's own table, so all Strongswan routes are installed together with all other routes in the main routing table. I did this because I thought it was easier to look at all routes in one place, instead of having to list different tables to see the tunnel routes.
My gateway do have several routing tables already, one per WAN interface (next hop in default route table), but these tables are just used for specific traffic (policy based source routing), however most traffic is automatically handled by the main routing table if otherwise not specified.


More information about the Users mailing list