Since 5.9.12, charon-nm routes traffic via an XFRM interface. To avoid a routing loop, it installs the routes in a separate routing table and sets up a routing rule that excludes a specific mark. That is, traffic with that mark will not get routed via XFRM interface. IKE and ESP traffic gets that mark applied automatically.
However, there is a problem if the regular IKE daemon (charon or charon- systemd) is also running on the same system because both use the same routing table, by default. And both try to setup conflicting routing rules for that table, but the regular daemon will generally do so first. So the rule is installed without that restriction regarding the mark and all traffic will be routed via XFRM interface causing the loop. So one workaround is to disable the regular IKE daemon (strongswan or strongswan-starter systemd units). Alternatively, a different routing table can be assigned to charon-nm by configuring `charon-nm.routing_table` in strongswan.conf (e.g. set it to 210, the default is 220). The latter is also what will happen with an upcoming fix for this issue (see https://github.com/strongswan/strongswan/commit/49cb7b016f762d0283565d3f712ac466ace9905f). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2076421 Title: IKev2 VPN generates a local routing loop To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-strongswan/+bug/2076421/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
