[strongSwan] Question about routing (maybe OT)
noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Mar 9 12:20:27 CET 2018
MacOS uses route based IPsec. That means, that there is no way to except the IKE and ESP packets from the route lookups. That means, you need a specific route for the responder. Otherwise you get a loop, if the IP address
of the responder is in the remote TS (e.g. 0.0.0.0/0). That's a draw back of route based IPsec.
I suppose if you tunneled IPv6, you'd get a route for the responder's corresponding IPv6 address.
On 09.03.2018 10:42, Harald Dunkel wrote:
> Hi folks,
> Question: If a roadwarrior running MacOS sets up a connection
> via IPv4 to my strongswan server, then the Mac gets an additional
> routing entry for my server, e.g.
> 192.168.1.209 10.100.0.1 UGHS 0 0 en0
> 192.168.1.209 in this example is the IP address of my server.
> 10.100.0.1 is the default gateway in the road warriors local
> network. Payload is IPv4 only. IKEv2.
> Question is, who tells the Mac to setup this routing entry?
> Is this initiated by Charon on my server somehow, or is this
> Apple's code?
> Point is, using IPv6 for ike and esp there is no such routing
> entry on the Mac, even though the IPsec connection still might
> affect IPv4 routing for 192.168.1.209.
> Every helpful comment is highly appreciated
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the Users