[strongSwan] Multiple subnets in local_ts not installing desired route

[Jonathan Chocron]

Hi Tobias,

Thank you very much for your very clear answer. I ended up disabling the automatic installation of routes and going through an updown script to install them manually. It works like a charm.

Kind regards,

Jonathan



> Le 1 mars 2022 à 14:46, Tobias Brunner <tobias at strongswan.org> a écrit :
> 
> Hi Jonathan,
> 
>> I have tried inverting the local_ts list, and using traffic selectors (although I’d need a wildcard), but haven’t been able to make it work. I have no idea how Strongswan chooses the interface it sets up in the routing table.
> 
> A route is installed for every outbound IPsec policy.  The source IP selected for each is the first address found that's contained in the local traffic selector.
> 
> In your case, there will be two policies, however, both have the same remote selector/subnet, so there will only be one route.  That is, when the second policy is installed, the route installed with the first is replaced/updated.  Since the traffic selectors are sorted (makes comparing and narrowing them easier), it will always be an address in 10.200.209.0/24 that ends up in the route.
> 
> There is currently no way to change or control this behavior.  So you basically have two options, disable automatic route installation completely (charon.install_routes) and install your own routes (might not even be necessary depending on your existing routes), or renumber your subnets so the one you want to ignore comes first when sorted.
> 
> Regards,
> Tobias