Discussion:
[strongSwan] Kernel routing table missing entry
Code Wiget
2018-11-19 15:20:46 UTC
Permalink
Hi all,

I’ve created a tunnel between two hosts using strongswan on RHEL 7.5. I can ping from both ends, but there is no new route in my routing table:

$ sudo systemctl stop strongswan
$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.31.16.1     0.0.0.0         UG    100    0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.31.16.0     0.0.0.0         255.255.240.0   U     100    0        0 eth0
172.31.16.50    172.31.16.9     255.255.255.255 UGH   0      0        0 eth0
192.168.1.0     172.31.16.9     255.255.255.0   UG    0      0        0 eth0
$ sudo systemctl start strongswan
$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.31.16.1     0.0.0.0         UG    100    0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.31.16.0     0.0.0.0         255.255.240.0   U     100    0        0 eth0
172.31.16.50    172.31.16.9     255.255.255.255 UGH   0      0        0 eth0
192.168.1.0     172.31.16.9     255.255.255.0   UG    0      0        0 eth0
I dont understand how this is possible. Is there another lower-level routing table?
Tobias Brunner
2018-11-20 09:17:17 UTC
Permalink
Hi,
Post by Code Wiget
I dont understand how this is possible. Is there another lower-level routing table?
Yes and no. There are additional routing tables, which you won't see
with the old route command, use the `ip` command from the iproute2
package instead to see the routes installed by strongSwan in routing
table 220 (`ip route list table 220`). However, IPsec in Linux is not
route- but policy-based (you see these IPsec policies with `ip xfrm
policy`). Depending on the negotiated policies and the already
installed routes those in table 220 are not really required (but they
make sure the correct source IP address is selected when sending packets
directly from this host).

Regards,
Tobias

Loading...