[strongSwan] Multiple subnets in local_ts not installing desired route

[Tobias Brunner]

Hi Jonathan,

> I have tried inverting the local_ts list, and using traffic selectors 
> (although I’d need a wildcard), but haven’t been able to make it work. I 
> have no idea how Strongswan chooses the interface it sets up in the 
> routing table.

A route is installed for every outbound IPsec policy.  The source IP 
selected for each is the first address found that's contained in the 
local traffic selector.

In your case, there will be two policies, however, both have the same 
remote selector/subnet, so there will only be one route.  That is, when 
the second policy is installed, the route installed with the first is 
replaced/updated.  Since the traffic selectors are sorted (makes 
comparing and narrowing them easier), it will always be an address in 
10.200.209.0/24 that ends up in the route.

There is currently no way to change or control this behavior.  So you 
basically have two options, disable automatic route installation 
completely (charon.install_routes) and install your own routes (might 
not even be necessary depending on your existing routes), or renumber 
your subnets so the one you want to ignore comes first when sorted.

Regards,
Tobias