[strongSwan] Strange things when policy routing is in use.

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Oct 14 23:41:28 CEST 2022 

Hi Kamil,

Configure debug logging exactly as specfied in Github issue 196[1] and then take a look at the log.
It should contain the route strongSwan tries to install.

You can (and if the reason the route can not be installed is valid) disable route installation by strongSwan if the routing decision after the new tunnel was established would be different. Consider this is (at this point in time) a policy based tunnel. The only reason we need routes is to get the right next hop (can't remember if it's for the actual routing decision or verification of received packets by using the rp_filter (reverse path filter)). The setting to disable route installation is charon.install_routes=no in /etc/strongswan.conf or related file. On RHEL derivates that's hidden under /etc/strongswan/.

Kind regards
Noel

On 14.10.22 18:56, Kamil Jońca wrote:
> 
> I have problem with ipsec an openvpn tunnel.
> I have to have source based routing.
> 
> assume we have  configuration below, after openvpn tunnel (tun0) is up:
> #ip route
> --8<---------------cut here---------------start------------->8---
> default via 172.20.10.1 dev wlan0
> 10.0.0.0/16 via 10.8.17.5 dev tun0
> [...some other routes, important thing is that there are is some subnets not whole 0.0.0.0/0 ...]
> --8<---------------cut here---------------end--------------->8---
> 
> #ip route show table 1000
> --8<---------------cut here---------------start------------->8---
> 0.0.0.0/1 dev tun0 scope link
> 128.0.0.0/1 dev tun0 scope link
> --8<---------------cut here---------------end--------------->8---
> (I tried not to use "default" route in this table, but with "default" result was the same)
> 
> #ip rule show
> --8<---------------cut here---------------start------------->8---
> 0:	from all lookup local
> 220:	from all lookup 220
> 1000:	from 10.8.17.6 lookup 1000
> 32766:	from all lookup main
> 32767:	from all lookup default
> --8<---------------cut here---------------end--------------->8---
> 
> then I try to establish ipsec connection:
> I got error message like:
> --8<---------------cut here---------------start------------->8---
> [...]
> [IKE] IKE_SA alfa[30] established between 10.8.17.6[zzzz]...xxxx[yyyy]
> [IKE] scheduling rekeying in 13679s
> [IKE] maximum IKE_SA lifetime 15119s
> [CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
> [KNL] received netlink error: Network is unreachable (101)
> [KNL] unable to install source route for 192.168.200.244
> --8<---------------cut here---------------end--------------->8---
> 
> and  192.168.200.244 is attached to tun0 interface instead of wlan0 as I would expect
> 
> #ip route show table 220
> is empty
> 
> When I start ipsec connection before openvpn - everything works
> also everything works when I resign from using rule 1000 and table
> 1000. (i.e. source based routing)
> 
> 
> Am I doing something wrong?
> KJ
>

More information about the Users mailing list