[strongSwan] Linux routing issue

Carlos G Mendioroz tron at huapi.ba.ar
Mon Jan 24 20:49:42 CET 2022 

Noel,
thanks for answering. Please see inline:

Noel Kuntze @ 24/1/2022 16:24 -0300 dixit:
> Hello Carlos,
> 
> Either the mark didn't take, you're using an old version (some had a 
> different behaviour in regards to marks and how routes are set when 
> marks are set on the connection configuration).

I'm using 5.8.2 as distributed by Ubuntu 20.04 LTS.
The mark did take, but the rest (i.e. non secured traffic) is being 
affected, I may have been unclear about the issue.

The state shows it:

src <my IP> dst <AWS IP>
	proto esp spi 0xcf54acd4 reqid 1 mode tunnel
	replay-window 0 flag af-unspec
	mark 0x20/0xffffffff
	auth-trunc hmac(sha256) 0xd5... 128
	enc cbc(aes) 0x1a...
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src <AWS IP> <my IP>
	proto esp spi 0xc1a5cd59 reqid 1 mode tunnel
	replay-window 32 flag af-unspec
	auth-trunc hmac(sha256) 0xbe... 128
	enc cbc(aes) 0xd9...
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	anti-replay context: seq 0x22, oseq 0x0, bitmap 0xffffffff

> 
> If you do not require the setting of source IP addresses for the remote 
> subnets, just disable installing of routes, and use XFRM interfaces so 
> you can use routes to direct traffic instead of dealing with the XFRM 
> policies.

I'm trying to understand, not to have a working config. For now, at least :)

-Carlos

> 
> Kind regards
> Noel
> 
> Am 24.01.22 um 12:44 schrieb Carlos G Mendioroz:
>> Hi,
>> trying to set up a VPN on a lab system with many interfaces
>> (Ubuntu 20.04, 2 uplinks, IPv6 tunnel, vlans, openvpn and IPIP tunnel).
>>
>> It's been a while since I used strongswan, but it was easy to set up 
>> using ipsec command and ipsec.conf policies. ipsec route table (220) 
>> played fine with my own rules I use mainly to source route to Internet 
>> uplinks.
>>
>> Now I want to setup a routed VPN (AWS transit gateway on the other 
>> end) and as soon as link comes up, all my traffic gets routed by main 
>> table.
>> (I changed policy to any any and at first did not specifiy mark, and 
>> it even disconnected from the local net, not nice on a headless server)
>> Now with mark it still makes all the traffic ignore rule priorities.
>>
>> Any pointer to what to check ?
>> TIA,

-- 
Carlos G Mendioroz  <tron at huapi.ba.ar>  LW7 EQI  Argentina

More information about the Users mailing list