How can I set the source IP in strongswan's routing table

Question

I have a site-to-site VPN where there's one subnet on the remote side and two on the local one:

conn site-to-site
  leftsubnet = 10.10.0.0/16,10.11.0.0/16
  rightsubnet = 10.50.0.0/16

Everything works fine, but I'm having an issue where the "wrong" local IP is inserted into strongSwan's routing table:

$ ip route show table 220
    10.50.0.0/16 via <REDACTED> dev eth-ext src 10.11.0.1 

strongSwan chooses the local IP of the 10.11.0.0/16 subnet as source IP for the IPsec tunnel (i.e. 10.11.0.1), but I'd like to use the second one (10.10.0.1).

I've tried setting leftsourceip to 10.10.0.1, but that didn't seem to have an effect. Is there another configuration item I can use to tell strongSwan which local IP to use as source IP for its routing table?

Answer 1

Unless you disable route installation via charon.install_routes and manually install a route (either before or after establishing the connection), there is currently no direct way to control this. Whether specific routes (as installed by strongSwan) are required in the first place depends on the existing routes and the negotiated traffic selectors.

strongSwan installs a route for every local and remote subnet (selecting a source address in the respective local subnet), so if you have multiple local subnets these routes will conflict (all have the same destination) and, depending on the strongSwan version, either the first or last route installed will remain in the kernel. So you could try to experiment with the order of local subnets, but that might not work if they are reordered somewhere.

To manually install routes when a CHILD_SA is installed the updown script, or the child-updown event provided via VICI may be used.

Finally, leftsourceip is used for the virtual IP feature (i.e. it triggers a request for a virtual IP from the responder).