[strongSwan] Route-Based Site-to-site VPN

[Tobias Brunner]

Hi Ed,

> Would that have any effect on the rest of my tunnels? What does 
> disabling route installation by the IKE daemon means exactly in this 
> case and why is it needed?

The main reason for the automatic route installation is to select a 
specific source IP (one contained in the local traffic selectors) to 
send packets that originate from the IPsec gateway itself through the 
tunnel.  Otherwise, the packets won't match the negotiated IPsec policies.

For instance, in our testing environment, if gateways moon and sun 
negotiate a tunnel between 10.1.0.0/16 and 10.2.0.0/16, we want to make 
sure that moon uses 10.1.0.1 when sending packets to hosts in 
10.2.0.0/16 and not 192.168.0.1, which its default route might indicate. 
  So a specific route to 10.2.0.0/16 is installed in table 220 that 
lists 10.1.0.1 as preferred source address.

Whether such routes are necessary depends on the negotiated traffic 
selectors, the existing (or any manually installed) routes, and whether 
the gateway is only forwarding traffic (in which case existing routes 
might already cover the traffic) or is actually sending traffic to 
remote hosts itself.

Anyway, with any of the route-based approaches the automatically 
installed routes are generally not correct (they go via physical 
interfaces), which is why charon.install_routes should be disabled and 
routes via tunnel interfaces have to be managed externally (installing 
them in routing tables that have higher priority than the one strongSwan 
uses is also an option to still use automatic routes for policy-based 
tunnels).

Regards,
Tobias