[strongSwan] What adds the rule for route table 220?

Ben Greear greearb at candelatech.com
Wed Sep 18 17:25:42 CEST 2019


On 9/18/19 8:16 AM, Tobias Brunner wrote:
> Hi Ben,
> 
>> Please note, I am wanting the rule itself to not be added, not just no routes
>> in the 220 table.
> 
> You can avoid the rule by setting charon.routing_table to 0 (but also
> disable the route installation or you end up with routes in the main
> table).  But why is the rule a problem if the routing table is empty?

It may not matter, it just had me confused.

After some more thought, I think I may need to add custom rules anyway
since I want to bind ipsec to specific routing tables (VRFs), and it
seems that charon (or something, not sure what exactly) is not properly
binding to xfrm interfaces with SO_BINDTODEVICE, as it is not using the
proper source address once I disabled the add-route logic.

The problem we had with the 220 table is that it stole our management
traffic and put it on the IPSEC connection.  I will investigate that further
since we should not have had any routes in the 220 table at that point.

Do you know if the routing rules are required to bind the ike and related
messages to an xfrm device?

Thanks,
Ben

-- 
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc  http://www.candelatech.com



More information about the Users mailing list