Specify outgoing network interface in ipsec.conf for one IPSec tunnel?

Asked Jan 19 '21 at 22:28

Active Jan 19 '21 at 22:28

Viewed 745 times

I'd like one of my tunnels to go out a particular interface. Is there a way to specify it?

ipsec.conf

conn remotehost.example.org
keyexchange=ikev2
type=tunnel
authby=psk
rekey=yes
keyingtries=%forever
ike=aes128gcm128-aesxcbc-modp2048!
ikelifetime=28800s
esp=aes128gcm128-modp2048!
lifetime=3600s
dpddelay=30
dpdtimeout=120
dpdaction=restart
left=%defaultroute
leftid=myhost.example.com
leftsubnet=10.0.0.1/16
leftfirewall=yes
right=remotehost.example.org
rightid=remotehost.example.org
rightsubnet=10.5.0.0/16
rightfirewall=yes
auto=start

Both the left and right hosts have dynamic IP addresses, so it is not trivial to do this with routing.

asked Jan 19 '21 at 22:28

ensnare

2,212
7
24
40

There is no such option. Did you try using marks and a separate routing table for marked traffic that directs packets to a particular interface? – ecdsa Jan 20 '21 at 14:49
Thanks, haven’t tried that. Any examples? – ensnare Jan 21 '21 at 03:13
No, but maybe configure a routing rule like `ip rule add fwmark table ` and add a default route to that table, then set _charon.plugins.socket-default.fwmark _ in strongswan.conf (optional but might force IKE packets also via that interface) and _connections..children..set_mark_out_ in swanctl.conf (there is no option for it in ipsec.conf, it also requires at least a 4.14 kernel) to the same mark value.
– ecdsa Jan 21 '21 at 09:39

Specify outgoing network interface in ipsec.conf for one IPSec tunnel?

0 Answers0