Hi Barry, I can confirm the behavior of the linux kernel. You need to set up a route to 192.168.2.0/24. It's not going to work otherwise. I understand that this is confusing. The nexthop determined by the routing table is irrelevant because an ESP and another IP header will be put in front of the existing IP header. The destination address from this new header will be the one that is relevant.
But that's a feature of the Linux kernel and not specific to strongSwan. I can still think of situations where it makes sense to do a routing table lookup first: A route can be of type unreachable, prohibit or blackhole. In those cases the kernel should indeed check whether traffic may be routed to a given address. Also, you can specify a number of options per routing table entry like src address or cwnd (type in "ip route help" to get a list). If traffic originates from the local host then those options have to be accounted for before a packet is processed by IPsec i.e. the security policy database. -Daniel _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
