Discussion:
[strongSwan] Redirect 0.0.0.0/0 into tunnel for local side
Kevin Olbrich
2018-07-21 07:03:47 UTC
Permalink
Hi!

During updates today (F28) I broke my strongswan setup.
The upgraded server has a VPN connection to another office and it's purpose
is to route all traffic including internet.

I set "rightsubnet=0.0.0.0/0" which was working perfectly fine but after
todays update, strongswan edits the default route of the main kernel table
to ipsec0 which effectivly cuts of all management access.

Also I set charon.install_routes to no but it still modifies the route. How
can I completly disable route modification? I am setting the rules
(shorewall providers) myself.

Kevin
Tobias Brunner
2018-07-23 09:07:41 UTC
Permalink
Hi Kevin,
Post by Kevin Olbrich
I set "rightsubnet=0.0.0.0/0" which was working
perfectly fine but after todays update, strongswan edits the default
route of the main kernel table to ipsec0 which effectivly cuts of all
management access.
strongSwan should install its routes in table 220, by default, not the
main routing table (not that it makes much of a difference). But how
did you enable management access before? Bypass/passthrough policies?
Did you actually use the kernel-libipsec plugin [1] with the old
version? Or was this installed/enabled by mistake during the update.
If that's the case, disable it [2] (it currently doesn't support such
policies).
Post by Kevin Olbrich
Also I set charon.install_routes to no but it still modifies the route.
That's because kernel-libipsec doesn't work without routes.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/kernel-libipsec
[2] https://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
Continue reading on narkive:
Loading...