Project

General

Profile

Issue #2356

passthrough policy installs incorrect route in table 220

Added by Carl-Daniel Hailfinger almost 3 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.5.1
Resolution:
No change required

Description

Hello,

I have the following ipsec.conf:

conn passthrough-1
        leftsubnet=10.0.0.0/8
        rightsubnet=10.0.0.0/8
        type=pass
        auto=route
        authby=never

Local IP configuration:

# ip -4 a l eth2
2: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 10.20.121.100/24 brd 10.20.121.255 scope global eth2
       valid_lft forever preferred_lft forever
# ip r l
default via 10.20.121.1 dev eth2  proto static 
10.20.121.0/24 dev eth2  proto kernel  scope link  src 10.20.121.100  metric 1 

The connection passthrough-1 causes a route to get installed in table 220:

# ip r l table 220
10.0.0.0/8 via 10.20.121.1 dev eth2  proto static  src 10.20.121.186 

That route means passthrough doesn't work for the local subnet because traffic in the local subnet gets forcibly passed through the local gateway.

If I change the connection passthrough-1 to have any additional qualifier like [icmp] for either leftsubnet or rightsubnet or both, the route in table 220 is not installed anymore and passthrough in the local lan works.

strongswan 5.5.1 on Ubuntu 14.04.5 LTS x86_64.

History

#1 Updated by Carl-Daniel Hailfinger almost 3 years ago

By the way, it seems that this bug only happens if the network/mask for the passthrough policy differs from the network/mask for the local network.

(Yes, I know that this should be solvable with the bypass-lan plugin, but that's not in 5.5.1 and besides that it's disabled by default.)

#2 Updated by Tobias Brunner almost 3 years ago

  • Status changed from New to Feedback

That route means passthrough doesn't work for the local subnet because traffic in the local subnet gets forcibly passed through the local gateway.

That's because your default route is the only one that allows routing 10.0.0.0/8. So either don't install any routes at all (charon.install_routes=no) or properly set your passthrough config to 10.20.121.0/24 so it matches that route.

#3 Updated by Tobias Brunner almost 3 years ago

  • Description updated (diff)

#4 Updated by Tobias Brunner almost 2 years ago

  • Category changed from kernel-interface to configuration
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF