[strongSwan] kernel traps with auto=route, and "install_routes=no" - how to view traps installed and the routes if any installed by Strongswan-Charon

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Mon Oct 26 08:24:01 CET 2020


Hello Noel

i did not understand the below point mentioned by you...can you please
clarify some more?

>>>No. The routes are only added if the source IP needs to be changed from
the one
>>>indicated by the main routing table for the packets to the remote
network to be protected by IPsec.

Which source-ip? You mean the src-ipaddr of the ESP packet that is
generated by this local-peergw that is sent to remote-peergw?

Suppose we have the ipsec tunnel topology as below:

Local-TS(
192.168.1.0/24)------(192.168.1.1)[local-peergw]44.44.44.20-----(44.1)Router(55.1)-----55.55.55.20[Rem-Peergw](192.168.2.1)------(192.168.2.0/24)Remote-TS

and the ipsec-conf is as below

conn tor-emote-peergw
           left=44.44.44.20




On Mon, Oct 26, 2020 at 3:34 AM Noel Kuntze
<noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:

> Hello Rajiv,
>
> > 1. What exactly are these "kernel traps installed? Can we view what
> traps are installed?
>
> They're just IPsec policies without a state.
>
> > 3. So are these routes in table-220 correlated and mapped to the
> kernel-traps?
>
> No. The routes are only added if the source IP needs to be changed from
> the one
> indicated by the main routing table for the packets to the remote network
> to be protected by IPsec.
>
> > Now in later Strongswan versions its been recommended to use
> "install_routes=NO"
>
> That's wrong. It's only recommended if you don't want or need to change
> the source IP when tunnels go up.
>
> > a) does charon rely ONLY on the "default route" in the main-routing
> table now?
>
> From the IntroductionToStrongswan[1] article:
>
> > To avoid conflicts with these routes (especially if virtual IPs are
> used), the kernel-netlink plugin manually parses the
> > host's routing tables to determine a suitable source address when
> sending IKE packets. On hosts with a (very) high number
> > of routes this is quite inefficient. In that case, setting
> charon.plugins.kernel-netlink.fwmark in strongswan.conf is
> > recommended as it will allow using a more efficient source address
> lookup.
>
> Answers to your other questions can be drawn from the quote.
>
> Kind regards
>
> Noel
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan#Routing
>
> Am 23.10.20 um 23:21 schrieb Rajiv Kulkarni:
> >
> > Hi
> >
> > Its mentioned that when we set "auto=route" in a connection entry/record
> for a ipsec tunnel, the "kernel traps are installed"
> >
> > In layman's terms and understanding:
> > 1. What exactly are these "kernel traps installed? Can we view what
> traps are installed?
> > 2. By default "install_routes" is YES, so the routes are added in table
> 220 which has a higher priority order above the main-routing table
> > 3. So are these routes in table-220 correlated and mapped to the
> kernel-traps?
> >
> > For e,g with table-220 (install_routes=yes the default option enabled),
> the following are the sample examples of the routes installed
> >
> > ================================================
> > For a full-tunnel (localsubnet<>any) spokegw to hubgw
> > -------------------------------------------------------
> >
> > root at OpenWrt:/etc# ip route show table 220
> > default via 2.2.2.1 dev eth0  proto static  src 192.168.2.253
> > 192.168.2.0/24 <http://192.168.2.0/24> dev eth2  scope link
> > root at OpenWrt:/etc#
> >
> >
> >
> >
> > For a site to site tunnel
> > -----------------------
> > root at openwrt# ip route show table 220
> > 44.44.44.0/24 <http://44.44.44.0/24> dev eth0  scope link
> > 172.31.38.0/24 <http://172.31.38.0/24> via 44.44.44.254 dev eth0  proto
> static  src 192.168.26.254
> >
> >
> >
> >
> > On a Remote-Access VPN Client (split-tunnel)
> > ---------------------------
> > root at linuxgw2:~/dump3# ip route show table 220
> > 192.168.6.0/24 <http://192.168.6.0/24> via 100.100.100.2 dev eth1 proto
> static src 10.1.104.100
> > root at linuxgw2:~/dump3#
> >
> > On a Remote-Access VPN Client (full-tunnel: local<>any)
> > ---------------------------
> >
> > root at OpenWrt:/etc# ip route show table 220
> > default via 95.1.1.1 dev pppoe-wan  proto static  src 10.1.5.10
> > 192.168.10.0/24 <http://192.168.10.0/24> dev eth2  scope link
> > root at OpenWrt:/etc#
> >
> >
> >
> > =======================================================
> >
> >
> >
> >
> >
> > Now in later Strongswan versions its been recommended to use
> "install_routes=NO"
> >
> > So again here too as a kind request, in layman's perspective/view and
> understanding
> > 1. What happens to the routes that used to be installed earlier in table
> 220?
> >
> > 2. What effect ,this "non-use of table 220" has on the "kernel-traps"
> installed....again in this scenario...what kind of kernel-traps are
> installed? Are they different from when table 220 was enabled...??? Can a
> user view these traps?
> >
> > 3. With the "install_routes=NO":
> > a) does charon rely ONLY on the "default route" in the main-routing
> table now?
> >
> > b) Does the config and use of IP-Policy-Routes (with use of IP-Rules and
> other routing tables defined by user) continue to work in this case and
> does charon also refer to the policy-routes if configured????
> >
> > we have these above doubts when we are thinking of moving to
> "install_routes=no" regime and just use the main-routing table and/or the
> custom IP-Policy-Routes/IP-Rules (for both IPv4 and IPv6 Tunnels ).
> Especially when we want to go in for some critical "IP4-Over-IPv6 IPSec
> Tunnels" scenarios (part of transition to IPv6 networks)
> >
> >
> > regards
> > Rajiv
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201026/bf4e610f/attachment-0001.html>


More information about the Users mailing list