Hi Jonathan,
I have tried inverting the local_ts list, and using traffic selectors
(although I’d need a wildcard), but haven’t been able to make it work. I
have no idea how Strongswan chooses the interface it sets up in the
routing table.
A route is installed for every outbound IPsec policy. The source IP
selected for each is the first address found that's contained in the
local traffic selector.
In your case, there will be two policies, however, both have the same
remote selector/subnet, so there will only be one route. That is, when
the second policy is installed, the route installed with the first is
replaced/updated. Since the traffic selectors are sorted (makes
comparing and narrowing them easier), it will always be an address in
10.200.209.0/24 that ends up in the route.
There is currently no way to change or control this behavior. So you
basically have two options, disable automatic route installation
completely (charon.install_routes) and install your own routes (might
not even be necessary depending on your existing routes), or renumber
your subnets so the one you want to ignore comes first when sorted.
Regards,
Tobias
- Re: [strongSwan] Multiple subnets in local_ts not install... Tobias Brunner
-
