[strongSwan] kernel traps with auto=route, and "install_routes=no" - how to view traps installed and the routes if any installed by Strongswan-Charon

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Fri Oct 23 23:21:14 CEST 2020 

Hi

Its mentioned that when we set "auto=route" in a connection entry/record
for a ipsec tunnel, the "kernel traps are installed"

In layman's terms and understanding:
1. What exactly are these "kernel traps installed? Can we view what traps
are installed?
2. By default "install_routes" is YES, so the routes are added in table 220
which has a higher priority order above the main-routing table
3. So are these routes in table-220 correlated and mapped to the
kernel-traps?

For e,g with table-220 (install_routes=yes the default option enabled), the
following are the sample examples of the routes installed

================================================
For a full-tunnel (localsubnet<>any) spokegw to hubgw
-------------------------------------------------------

root at OpenWrt:/etc# ip route show table 220
default via 2.2.2.1 dev eth0  proto static  src 192.168.2.253
192.168.2.0/24 dev eth2  scope link
root at OpenWrt:/etc#




For a site to site tunnel
-----------------------
root at openwrt# ip route show table 220
44.44.44.0/24 dev eth0  scope link
172.31.38.0/24 via 44.44.44.254 dev eth0  proto static  src 192.168.26.254




On a Remote-Access VPN Client (split-tunnel)
---------------------------
root at linuxgw2:~/dump3# ip route show table 220
192.168.6.0/24 via 100.100.100.2 dev eth1 proto static src 10.1.104.100
root at linuxgw2:~/dump3#

On a Remote-Access VPN Client (full-tunnel: local<>any)
---------------------------

root at OpenWrt:/etc# ip route show table 220
default via 95.1.1.1 dev pppoe-wan  proto static  src 10.1.5.10
192.168.10.0/24 dev eth2  scope link
root at OpenWrt:/etc#



=======================================================





Now in later Strongswan versions its been recommended to use
"install_routes=NO"

So again here too as a kind request, in layman's perspective/view and
understanding
1. What happens to the routes that used to be installed earlier in table
220?

2. What effect ,this "non-use of table 220" has on the "kernel-traps"
installed....again in this scenario...what kind of kernel-traps are
installed? Are they different from when table 220 was enabled...??? Can a
user view these traps?

3. With the "install_routes=NO":
a) does charon rely ONLY on the "default route" in the main-routing table
now?

b) Does the config and use of IP-Policy-Routes (with use of IP-Rules and
other routing tables defined by user) continue to work in this case and
does charon also refer to the policy-routes if configured????

we have these above doubts when we are thinking of moving to
"install_routes=no" regime and just use the main-routing table and/or the
custom IP-Policy-Routes/IP-Rules (for both IPv4 and IPv6 Tunnels ).
Especially when we want to go in for some critical "IP4-Over-IPv6 IPSec
Tunnels" scenarios (part of transition to IPv6 networks)


regards
Rajiv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201024/43948a4d/attachment.html>

More information about the Users mailing list