[strongSwan] kernel traps with auto=route, and "install_routes=no" - how to view traps installed and the routes if any installed by Strongswan-Charon

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sun Oct 25 23:04:42 CET 2020 

Hello Rajiv,

> 1. What exactly are these "kernel traps installed? Can we view what traps are installed?

They're just IPsec policies without a state.

> 3. So are these routes in table-220 correlated and mapped to the kernel-traps?

No. The routes are only added if the source IP needs to be changed from the one
indicated by the main routing table for the packets to the remote network to be protected by IPsec.

> Now in later Strongswan versions its been recommended to use "install_routes=NO" 

That's wrong. It's only recommended if you don't want or need to change the source IP when tunnels go up.

> a) does charon rely ONLY on the "default route" in the main-routing table now?

From the IntroductionToStrongswan[1] article:

> To avoid conflicts with these routes (especially if virtual IPs are used), the kernel-netlink plugin manually parses the
> host's routing tables to determine a suitable source address when sending IKE packets. On hosts with a (very) high number
> of routes this is quite inefficient. In that case, setting charon.plugins.kernel-netlink.fwmark in strongswan.conf is
> recommended as it will allow using a more efficient source address lookup.

Answers to your other questions can be drawn from the quote.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan#Routing

Am 23.10.20 um 23:21 schrieb Rajiv Kulkarni:
> 
> Hi
> 
> Its mentioned that when we set "auto=route" in a connection entry/record for a ipsec tunnel, the "kernel traps are installed"
> 
> In layman's terms and understanding:
> 1. What exactly are these "kernel traps installed? Can we view what traps are installed?
> 2. By default "install_routes" is YES, so the routes are added in table 220 which has a higher priority order above the main-routing table
> 3. So are these routes in table-220 correlated and mapped to the kernel-traps?
> 
> For e,g with table-220 (install_routes=yes the default option enabled), the following are the sample examples of the routes installed
> 
> ================================================
> For a full-tunnel (localsubnet<>any) spokegw to hubgw
> -------------------------------------------------------
> 
> root at OpenWrt:/etc# ip route show table 220
> default via 2.2.2.1 dev eth0  proto static  src 192.168.2.253
> 192.168.2.0/24 <http://192.168.2.0/24> dev eth2  scope link
> root at OpenWrt:/etc#
> 
> 
> 
> 
> For a site to site tunnel
> -----------------------
> root at openwrt# ip route show table 220
> 44.44.44.0/24 <http://44.44.44.0/24> dev eth0  scope link
> 172.31.38.0/24 <http://172.31.38.0/24> via 44.44.44.254 dev eth0  proto static  src 192.168.26.254
> 
> 
> 
> 
> On a Remote-Access VPN Client (split-tunnel)
> ---------------------------
> root at linuxgw2:~/dump3# ip route show table 220
> 192.168.6.0/24 <http://192.168.6.0/24> via 100.100.100.2 dev eth1 proto static src 10.1.104.100
> root at linuxgw2:~/dump3#
> 
> On a Remote-Access VPN Client (full-tunnel: local<>any)
> ---------------------------
> 
> root at OpenWrt:/etc# ip route show table 220
> default via 95.1.1.1 dev pppoe-wan  proto static  src 10.1.5.10
> 192.168.10.0/24 <http://192.168.10.0/24> dev eth2  scope link
> root at OpenWrt:/etc#
> 
> 
> 
> =======================================================
> 
> 
> 
> 
> 
> Now in later Strongswan versions its been recommended to use "install_routes=NO" 
> 
> So again here too as a kind request, in layman's perspective/view and understanding
> 1. What happens to the routes that used to be installed earlier in table 220?
> 
> 2. What effect ,this "non-use of table 220" has on the "kernel-traps" installed....again in this scenario...what kind of kernel-traps are installed? Are they different from when table 220 was enabled...??? Can a user view these traps?
> 
> 3. With the "install_routes=NO":
> a) does charon rely ONLY on the "default route" in the main-routing table now?
> 
> b) Does the config and use of IP-Policy-Routes (with use of IP-Rules and other routing tables defined by user) continue to work in this case and does charon also refer to the policy-routes if configured????
> 
> we have these above doubts when we are thinking of moving to "install_routes=no" regime and just use the main-routing table and/or the custom IP-Policy-Routes/IP-Rules (for both IPv4 and IPv6 Tunnels ). Especially when we want to go in for some critical "IP4-Over-IPv6 IPSec Tunnels" scenarios (part of transition to IPv6 networks)
> 
> 
> regards
> Rajiv
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201025/2d59ef4c/attachment.sig>

More information about the Users mailing list