I can think of another option might might make the whole setup cleaner.

Introduce another route table (e.g. 219), which has priority over the 
table 220, and has the route for the local network. To setup that you 
need to look at the "ip rule" commands.

This way, no matter what charon/pluto do, the route in table 219 will 
always have precedence.

However, depending on how the tunnel was specified (what was specified 
in left/rightsubnet) you might have to add xfrm rules for the network 
traffic as well, because, I believe that the xfrm rules are applied 
after the route table lookup on the way out and before on the way in.

Dimitris

Graham Hudspith wrote:
> Andreas,
>
> Thanks for the reply. I'm afraid I'm not an expert on xfrm policies. Could
> you please give an example of the add command you had in mind?
>
> However, as Daniel states, your diagnosis does not sound quite right to me.
>
> Just going via the ip routing tables (and ignoring xfrm), it seems that
> specific routes take precedence over default routes and strongswan uses a
> separate table (220) because any default route added there takes precedence
> over a default route in the default table.
>
> However, an unintended consequence is that a default route in table 220
> takes precedence over a specific route in the default table. So, as my
> original posting showed, either we need to:
>
>    - get strongswan to add an equivalent specific route to table 220 as
>    already present in the default table, or
>    - get strongswan to NOT use table 220 but to manage the routes in the
>    default table, or
>    - get strongswan to NOT manage routes at all (via the
>    charon.install_routes option in strongswan.conf) and manage the routes
>    ourselves, based on events from charon
>
> Or, is there a fourth option?
>
> Daniel,
>
> Thanks for chipping in!
>
> 2009/11/13 Daniel Mentz
> <danielml+mailinglists.strongs...@sent.com<danielml%2bmailinglists.strongs...@sent.com>
>   
>
>   
>> could you please post the output of
>>
>> ip xfrm policy
>>
>>
>>     
> Here you go ...
>
> Regards,
>
> Graham.
>
> # *ip xfrm policy*
>
> src 0.0.0.0/0 dst 1.1.35.49/32
>
> dir fwd priority 2000
>
> tmpl src segw.somewhere.com dst 192.168.50.154
>
> proto esp reqid 1 mode tunnel
>
> src 0.0.0.0/0 dst 1.1.35.49/32
>
> dir in priority 2000
>
> tmpl src segw.somewhere.com dst 192.168.50.154
>
> proto esp reqid 1 mode tunnel
>
> src 1.1.35.49/32 dst 0.0.0.0/0
>
> dir out priority 1680
>
> tmpl src 192.168.50.154 dst segw.somewhere.com
>
> proto esp reqid 1 mode tunnel
>
> src 0.0.0.0/0 dst 0.0.0.0/0
>
> dir 3 priority 0
>
> src 0.0.0.0/0 dst 0.0.0.0/0
>
> dir 4 priority 0
>
> src 0.0.0.0/0 dst 0.0.0.0/0
>
> dir 3 priority 0
>
> src 0.0.0.0/0 dst 0.0.0.0/0
>
> dir 4 priority 0
> _______________________________________________
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>   

_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to