[strongSwan] Restricting protocol and port numbers question

Tobias Brunner tobias at strongswan.org
Wed Sep 30 16:11:40 CEST 2020

Hi Rajiv,

> 1. with policies based on ports/protocols used, Would the routes need to
> be added still, if we say disable use of table 220 by applying the
> option "install_routes=no" in charon.conf???

As I said, no routes are installed for policies with port/protocol
anyway.  So why disable route installation globally?

> 2. Iam unable recall precisely now (as i write)...does "swanctl.conf"
> require table-220 to be used (by default)???...or rather the question
> would be, if i use swanctl.conf for the tunnel with ports/protocol
> policies, would i need to add routes in table-220????

No idea what you are asking, sorry.

> 3. Same as above, can we use install_routes=no with swantctl and avoid
> adding routes for the remote-subnets???

You can always disable automatic route installation completely with that
option, it has nothing to do with the config backend or the kind of
policies that are installed.

What you have to keep in mind is that your system has to have routes
configured for the tunneled traffic whether that is a route you install
manually, one installed by strongSwan, or one that already exists (a
default route often does the trick).


More information about the Users mailing list