Re: [strongSwan] Strange things when policy routing is in use.

2022-10-14 Thread Noel Kuntze 

Hi Kamil,

Configure debug logging exactly as specfied in Github issue 196[1] and then 
take a look at the log.
It should contain the route strongSwan tries to install.

You can (and if the reason the route can not be installed is valid) disable 
route installation by strongSwan if the routing decision after the new tunnel 
was established would be different. Consider this is (at this point in time) a 
policy based tunnel. The only reason we need routes is to get the right next 
hop (can't remember if it's for the actual routing decision or verification of 
received packets by using the rp_filter (reverse path filter)). The setting to 
disable route installation is charon.install_routes=no in /etc/strongswan.conf 
or related file. On RHEL derivates that's hidden under /etc/strongswan/.

Kind regards
Noel

On 14.10.22 18:56, Kamil Jońca wrote:


I have problem with ipsec an openvpn tunnel.
I have to have source based routing.

assume we have  configuration below, after openvpn tunnel (tun0) is up:
#ip route
--8<---cut here---start->8---
default via 172.20.10.1 dev wlan0
10.0.0.0/16 via 10.8.17.5 dev tun0
[...some other routes, important thing is that there are is some subnets not 
whole 0.0.0.0/0 ...]
--8<---cut here---end--->8---

#ip route show table 1000
--8<---cut here---start->8---
0.0.0.0/1 dev tun0 scope link
128.0.0.0/1 dev tun0 scope link
--8<---cut here---end--->8---
(I tried not to use "default" route in this table, but with "default" result 
was the same)

#ip rule show
--8<---cut here---start->8---
0:  from all lookup local
220:from all lookup 220
1000:   from 10.8.17.6 lookup 1000
32766:  from all lookup main
32767:  from all lookup default
--8<---cut here---end--->8---

then I try to establish ipsec connection:
I got error message like:
--8<---cut here---start->8---
[...]
[IKE] IKE_SA alfa[30] established between 10.8.17.6[]...[]
[IKE] scheduling rekeying in 13679s
[IKE] maximum IKE_SA lifetime 15119s
[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
[KNL] received netlink error: Network is unreachable (101)
[KNL] unable to install source route for 192.168.200.244
--8<---cut here---end--->8---

and  192.168.200.244 is attached to tun0 interface instead of wlan0 as I would 
expect

#ip route show table 220
is empty

When I start ipsec connection before openvpn - everything works
also everything works when I resign from using rule 1000 and table
1000. (i.e. source based routing)


Am I doing something wrong?
KJ

[strongSwan] Strange things when policy routing is in use.

2022-10-14 Thread Kamil Jońca 


I have problem with ipsec an openvpn tunnel.
I have to have source based routing.

assume we have  configuration below, after openvpn tunnel (tun0) is up:
#ip route 
--8<---cut here---start->8---
default via 172.20.10.1 dev wlan0 
10.0.0.0/16 via 10.8.17.5 dev tun0
[...some other routes, important thing is that there are is some subnets not 
whole 0.0.0.0/0 ...]
--8<---cut here---end--->8---

#ip route show table 1000
--8<---cut here---start->8---
0.0.0.0/1 dev tun0 scope link 
128.0.0.0/1 dev tun0 scope link 
--8<---cut here---end--->8---
(I tried not to use "default" route in this table, but with "default" result 
was the same)

#ip rule show
--8<---cut here---start->8---
0:  from all lookup local
220:from all lookup 220
1000:   from 10.8.17.6 lookup 1000
32766:  from all lookup main
32767:  from all lookup default
--8<---cut here---end--->8---

then I try to establish ipsec connection:
I got error message like:
--8<---cut here---start->8---
[...]
[IKE] IKE_SA alfa[30] established between 10.8.17.6[]...[]
[IKE] scheduling rekeying in 13679s
[IKE] maximum IKE_SA lifetime 15119s
[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
[KNL] received netlink error: Network is unreachable (101)
[KNL] unable to install source route for 192.168.200.244
--8<---cut here---end--->8---

and  192.168.200.244 is attached to tun0 interface instead of wlan0 as I would 
expect

#ip route show table 220
is empty

When I start ipsec connection before openvpn - everything works
also everything works when I resign from using rule 1000 and table
1000. (i.e. source based routing)


Am I doing something wrong?
KJ

-- 
http://wolnelektury.pl/wesprzyj/teraz/