Hi Tobias, Thank you very much for your very clear answer. I ended up disabling the automatic installation of routes and going through an updown script to install them manually. It works like a charm.
Kind regards, Jonathan > Le 1 mars 2022 à 14:46, Tobias Brunner <[email protected]> a écrit : > > Hi Jonathan, > >> I have tried inverting the local_ts list, and using traffic selectors >> (although I’d need a wildcard), but haven’t been able to make it work. I >> have no idea how Strongswan chooses the interface it sets up in the routing >> table. > > A route is installed for every outbound IPsec policy. The source IP selected > for each is the first address found that's contained in the local traffic > selector. > > In your case, there will be two policies, however, both have the same remote > selector/subnet, so there will only be one route. That is, when the second > policy is installed, the route installed with the first is replaced/updated. > Since the traffic selectors are sorted (makes comparing and narrowing them > easier), it will always be an address in 10.200.209.0/24 that ends up in the > route. > > There is currently no way to change or control this behavior. So you > basically have two options, disable automatic route installation completely > (charon.install_routes) and install your own routes (might not even be > necessary depending on your existing routes), or renumber your subnets so the > one you want to ignore comes first when sorted. > > Regards, > Tobias
