[strongSwan] Strange things when policy routing is in use.

Kamil Jońca kjonca at op.pl
Fri Oct 14 18:56:18 CEST 2022


I have problem with ipsec an openvpn tunnel.
I have to have source based routing.

assume we have  configuration below, after openvpn tunnel (tun0) is up:
#ip route 
--8<---------------cut here---------------start------------->8---
default via 172.20.10.1 dev wlan0 
10.0.0.0/16 via 10.8.17.5 dev tun0
[...some other routes, important thing is that there are is some subnets not whole 0.0.0.0/0 ...]
--8<---------------cut here---------------end--------------->8---

#ip route show table 1000
--8<---------------cut here---------------start------------->8---
0.0.0.0/1 dev tun0 scope link 
128.0.0.0/1 dev tun0 scope link 
--8<---------------cut here---------------end--------------->8---
(I tried not to use "default" route in this table, but with "default" result was the same)

#ip rule show
--8<---------------cut here---------------start------------->8---
0:	from all lookup local
220:	from all lookup 220
1000:	from 10.8.17.6 lookup 1000
32766:	from all lookup main
32767:	from all lookup default
--8<---------------cut here---------------end--------------->8---

then I try to establish ipsec connection:
I got error message like:
--8<---------------cut here---------------start------------->8---
[...]
[IKE] IKE_SA alfa[30] established between 10.8.17.6[zzzz]...xxxx[yyyy]
[IKE] scheduling rekeying in 13679s
[IKE] maximum IKE_SA lifetime 15119s
[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
[KNL] received netlink error: Network is unreachable (101)
[KNL] unable to install source route for 192.168.200.244
--8<---------------cut here---------------end--------------->8---

and  192.168.200.244 is attached to tun0 interface instead of wlan0 as I would expect

#ip route show table 220
is empty

When I start ipsec connection before openvpn - everything works
also everything works when I resign from using rule 1000 and table
1000. (i.e. source based routing)


Am I doing something wrong?
KJ

-- 
http://wolnelektury.pl/wesprzyj/teraz/



More information about the Users mailing list