[strongSwan] Route-Based Site-to-site VPN
Tobias Brunner
tobias at strongswan.org
Mon Mar 28 10:36:12 CEST 2022
Hi Ed,
> how would i go about installing routes in a higher priority
> table for the new site-to-site i want to configure?
strongSwan installs routes in table 220 (see `ip route list table 220`),
which has priority 220 (see `ip rule` if the daemon is running). So you
have to install your routes in a table that has higher priority (lower
numeric value) than that. See the man pages for `ip rule` and `ip
route` for details.
> How can i see charon installed routes? Are these the ones i see with ip
> xfrm policy?
No, those are the IPsec policies. They are independent of the routing
decision (which happens before checking for matching policies).
> So, if i do
>
> ip tunnel add vti100 local X.X.X.X remote Y.Y.Y.Y mode vti key 111
>
> ip link set vti0 up
>
> ip route add 10.0.10.0/24 dev vti100
>
> Would that be sufficient at least for this /24?
You probably want to add `src 192.168.132.20` to your `ip route add`
command so that address is used as source and not e.g. X.X.X.X. And if
automatic routes are installed for other connections, installing in the
main routing table might not work if there are any conflicts (if so,
install the route in a higher-priority table).
Regards,
Tobias
More information about the Users
mailing list