0

Hi on the same server I use openVPN with Strongswan to interconnect 2 networks

  • Routes populated via strongswan are less specific (10.0.0.0/8)
  • Routes populated via openvpn are more specific (10.1.1.0/24)

Initially, I was thinking that this won't be an issue, since I only want the /24 to be routed via openvpn. However, since Strongswan use routing table 220, all the 10.1.1.0/24 traffic was send to Strongswan making the openvpn tunnel unavailable.

I tried to use charon.routing_table=0, which makes Strongswan using the main routing table. Now the routing table seems correct, bug curiously, the traffic is still not send to the openvpn tunnel.

Even if i remove manually the route 10.0.0.0/8 (ip route del 10.0.0.0/8), strongswan seems to catch all traffic to 10.1.1.0/24, but I don't undestrand why.

How can I make strongswan to avoid catching more specific subnets traffic routed to other devices (tun0 for openvpn)?

lobi
  • 1,083
  • 2
  • 15
  • 30
Golgot
  • 115
  • 6

1 Answers1

1

By default, strongSwan operates in a policy-based mode. Meaning that the kernel will automatically encrypt traffic based on the negotiated IPsec policies. Since the policy for 10.0.0.0/8 covers traffic for 10.1.1.0/24 it will get processed by the IPsec stack.

To avoid that, you need to configure a bypass policy for the 10.1.1.0/24 subnet, see here for examples. Since that also installs throw routes, you could let strongSwan configure routes in table 220 again.

Another option is to change to a route-based approach for IPsec, e.g. via XFRM or VTI interfaces. Then only traffic routed to a specific interface will be processed by IPsec (the IPsec policies still apply for that traffic, though, so you can't just send any traffic through that interface).

ecdsa
  • 3,973
  • 15
  • 29