When I install the routes via the up down script I use the commands /sbin/ip route del default /sbin/ip route replace default dev usb1 src "$PLUTO_MY_SOURCEIP”
and that puts in a good default route with the source ip address that the traffic selector recognizes for it to do its thing and encrypt the traffic. -Philip > On Jul 6, 2015, at 6:43 PM, Zhuyj <[email protected] > <mailto:[email protected]>> wrote: > > Do you remove this default route and add several specific routes? > > 发自我的 iPhone > > 在 2015年7月7日,9:17,Philip L Hutson <[email protected] <mailto:[email protected]>> > 写道: > >> I tried 220 and 0 (for the primary table). Neither overwrote of had a higher >> priority than the default route that was in the table already. >> -Philip >> >>> On Jul 6, 2015, at 6:01 PM, Zhuyj <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> table 220 work >>> >>> >>> 发自我的 iPhone >>> >>> 在 2015年7月7日,8:36,Philip L Hutson <[email protected] <mailto:[email protected]>> >>> 写道: >>> >>>> I am trying to setup a vpn tunnel from an embedded linux system (Linux >>>> system-0004338 2.6.37 #7 Mon Jun 22 14:45:53 PDT 2015 armv7l GNU/Linux) to >>>> a cisco asa. I have a working solution but not the preferred one. >>>> One of my first problems was when I let strong swan add the routes it >>>> didn’t over write the default route so no traffic would go through. I was >>>> able to solve this by using the an up/down script. But I would prefer that >>>> strong swan added/removed the routes. >>>> The routes it added looked like this >>>> ip route >>>> 10.255.254.180/30 dev usb1 src 10.255.254.180 >>>> 0.0.0.0/1 via 10.255.254.181 dev usb1 src 10.3.10.18 >>>> 128.0.0.0/1 via 10.255.254.181 dev usb1 src 10.3.10.18 >>>> default via 10.255.254.181 dev usb1 >>>> >>>> where the default route at the bottom was there already. >>>> The route table before was >>>> ip route >>>> 10.255.254.180/30 dev usb1 src 10.255.254.180 >>>> default via 10.255.254.181 dev usb1 >>>> >>>> The second issue is with the system time fix plugin. After the device gets >>>> a valid time from ntp over the tunnel it invalidates the client sa. >>>> time fix config >>>> system time fix <http://pastebin.com/B5WHHbLE> >>>> LOGFILE <http://pastebin.com/0yu1YFKm> showing the sa being invalidated >>>> >>>> >>>> The configuration I would like is where if usb1 goes up (after having been >>>> up before) strong swan reconnects the tunnel. Currently if usb1 goes down >>>> (for longer than dpd) and then comes up again and the dhcp client >>>> gets/assigns an address to usb1 strong swan does not reconnect the tunnel. >>>> If I use ipsec up home it comes back up. >>>> My current working ipsec.conf <http://pastebin.com/B7vPqqDd> >>>> charon.conf <http://pastebin.com/zY6ZzZgC> >>>> updown script <http://pastebin.com/JGksUE8p> >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> [email protected] <mailto:[email protected]> >>>> https://lists.strongswan.org/mailman/listinfo/users >>>> <https://lists.strongswan.org/mailman/listinfo/users> >> >> _______________________________________________ >> Users mailing list >> [email protected] <mailto:[email protected]> >> https://lists.strongswan.org/mailman/listinfo/users >> <https://lists.strongswan.org/mailman/listinfo/users>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
