[strongSwan] Question about routing (maybe OT)

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Mar 9 12:20:27 CET 2018


Hi,

MacOS uses route based IPsec. That means, that there is no way to except the IKE and ESP packets from the route lookups. That means, you need a specific route for the responder. Otherwise you get a loop, if the IP address
of the responder is in the remote TS (e.g. 0.0.0.0/0). That's a draw back of route based IPsec.
I suppose if you tunneled IPv6, you'd get a route for the responder's corresponding IPv6 address.

Kind regards

Noel

On 09.03.2018 10:42, Harald Dunkel wrote:
> Hi folks,
>
> Question: If a roadwarrior running MacOS sets up a connection
> via IPv4 to my strongswan server, then the Mac gets an additional
> routing entry for my server, e.g.
>
> 192.168.1.209      10.100.0.1         UGHS            0        0     en0
>
> 192.168.1.209 in this example is the IP address of my server.
> 10.100.0.1 is the default gateway in the road warriors local
> network. Payload is IPv4 only. IKEv2.
>
> Question is, who tells the Mac to setup this routing entry?
> Is this initiated by Charon on my server somehow, or is this
> Apple's code?
>
> Point is, using IPv6 for ike and esp there is no such routing
> entry on the Mac, even though the IPsec connection still might
> affect IPv4 routing for 192.168.1.209.
>
>
> Every helpful comment is highly appreciated
> Regards
> Harri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180309/0e40a5e5/attachment.sig>


More information about the Users mailing list